Alerts schemas
Defender for Cloud provides alerts that help you identify, understand, and respond to security threats. Alerts are generated when Defender for Cloud detects suspicious activity or a security-related issue in your environment. You can view these alerts in the Defender for Cloud portal, or you can export them to external tools for further analysis and response.
You can view these security alerts in Microsoft Defender for Cloud's pages - overview dashboard, alerts, resource health pages, or workload protections dashboard - and through external tools such as:
- Microsoft Sentinel - Microsoft's cloud-native SIEM. The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the Log Analytics workspace for Microsoft Sentinel.
- Third-party SIEMs - Send data to Azure Event Hubs. Then integrate your Event Hubs data with a third-party SIEM. Learn more in Stream alerts to a SIEM, SOAR, or IT Service Management solution.
- The REST API - If you're using the REST API to access alerts, see the online Alerts API documentation.
If you're using any programmatic methods to consume the alerts, you need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hubs or trying to trigger Workflow Automation with generic HTTP connectors, schemas should be utilized to properly parse the JSON objects.
Important
Since the schema is different for each of these scenarios, ensure you select the relevant tab.
The schemas
The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the Log Analytics Workspace for Microsoft Sentinel.
To create a Microsoft Sentinel case or incident using Defender for Cloud alerts, you need the schema for those alerts shown.
Learn more in the Microsoft Sentinel documentation.
The data model of the schema
Field | Description |
---|---|
AlertName | Alert display name |
AlertType | unique alert identifier |
ConfidenceLevel | (Optional) The confidence level of this alert (High/Low) |
ConfidenceScore | (Optional) Numeric confidence indicator of the security alert |
Description | Description text for the alert |
DisplayName | The alert's display name |
EndTime | The impact end time of the alert (the time of the last event contributing to the alert) |
Entities | A list of entities related to the alert. This list can hold a mixture of entities of diverse types |
ExtendedLinks | (Optional) A bag for all links related to the alert. This bag can hold a mixture of links for diverse types |
ExtendedProperties | A bag of additional fields which are relevant to the alert |
IsIncident | Determines if the alert is an incident or a regular alert. An incident is a security alert that aggregates multiple alerts into one security incident |
ProcessingEndTime | UTC timestamp in which the alert was created |
ProductComponentName | (Optional) The name of a component inside the product which generated the alert. |
ProductName | constant ('Azure Security Center') |
ProviderName | unused |
RemediationSteps | Manual action items to take to remediate the security threat |
ResourceId | Full identifier of the affected resource |
Severity | The alert severity (High/Medium/Low/Informational) |
SourceComputerId | a unique GUID for the affected server (if the alert is generated on the server) |
SourceSystem | unused |
StartTime | The impact start time of the alert (the time of the first event contributing to the alert) |
SystemAlertId | Unique identifier of this security alert instance |
TenantId | the identifier of the parent Azure Active directory tenant of the subscription under which the scanned resource resides |
TimeGenerated | UTC timestamp on which the assessment took place (Security Center's scan time) (identical to DiscoveredTimeUTC) |
Type | constant ('SecurityAlert') |
VendorName | The name of the vendor that provided the alert (e.g. 'Microsoft') |
VendorOriginalId | unused |
WorkspaceResourceGroup | in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace resource group name |
WorkspaceSubscriptionId | in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace subscriptionId |
Related articles
- Log Analytics workspaces - Azure Monitor stores log data in a Log Analytics workspace, a container that includes data and configuration information
- Microsoft Sentinel - Microsoft's cloud-native SIEM
- Azure Event Hubs - Microsoft's fully managed, real-time data ingestion service