Alerts schemas

Defender for Cloud provides alerts that help you identify, understand, and respond to security threats. Alerts are generated when Defender for Cloud detects suspicious activity or a security-related issue in your environment. You can view these alerts in the Defender for Cloud portal, or you can export them to external tools for further analysis and response.

You can view these security alerts in Microsoft Defender for Cloud's pages - overview dashboard, alerts, resource health pages, or workload protections dashboard - and through external tools such as:

If you're using any programmatic methods to consume the alerts, you need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hubs or trying to trigger Workflow Automation with generic HTTP connectors, schemas should be utilized to properly parse the JSON objects.

Important

Since the schema is different for each of these scenarios, ensure you select the relevant tab.

The schemas

The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the Log Analytics Workspace for Microsoft Sentinel.

To create a Microsoft Sentinel case or incident using Defender for Cloud alerts, you need the schema for those alerts shown.

Learn more in the Microsoft Sentinel documentation.

The data model of the schema

Field Description
AlertName Alert display name
AlertType unique alert identifier
ConfidenceLevel (Optional) The confidence level of this alert (High/Low)
ConfidenceScore (Optional) Numeric confidence indicator of the security alert
Description Description text for the alert
DisplayName The alert's display name
EndTime The impact end time of the alert (the time of the last event contributing to the alert)
Entities A list of entities related to the alert. This list can hold a mixture of entities of diverse types
ExtendedLinks (Optional) A bag for all links related to the alert. This bag can hold a mixture of links for diverse types
ExtendedProperties A bag of additional fields which are relevant to the alert
IsIncident Determines if the alert is an incident or a regular alert. An incident is a security alert that aggregates multiple alerts into one security incident
ProcessingEndTime UTC timestamp in which the alert was created
ProductComponentName (Optional) The name of a component inside the product which generated the alert.
ProductName constant ('Azure Security Center')
ProviderName unused
RemediationSteps Manual action items to take to remediate the security threat
ResourceId Full identifier of the affected resource
Severity The alert severity (High/Medium/Low/Informational)
SourceComputerId a unique GUID for the affected server (if the alert is generated on the server)
SourceSystem unused
StartTime The impact start time of the alert (the time of the first event contributing to the alert)
SystemAlertId Unique identifier of this security alert instance
TenantId the identifier of the parent Azure Active directory tenant of the subscription under which the scanned resource resides
TimeGenerated UTC timestamp on which the assessment took place (Security Center's scan time) (identical to DiscoveredTimeUTC)
Type constant ('SecurityAlert')
VendorName The name of the vendor that provided the alert (e.g. 'Microsoft')
VendorOriginalId unused
WorkspaceResourceGroup in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace resource group name
WorkspaceSubscriptionId in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace subscriptionId

Next step