| AlertType |
string |
The type name of the alert. Alerts of the same type should have the same name. This field is a keyed string representing the type of alert and not of an alert instance. All alert instances from the same detection logic/analytic should have the same value for alert type. |
| _BilledSize |
real |
The record size in bytes |
| ComponentName |
string |
The name of a component inside the product which generated the alert. This is an optional field, which might be populated only for product in which external end user are aware of specific components within a product. For products that offer different types of SKU/Bundles, this field can hold the SKU or bundle name. |
| CreationDateTime |
datetime |
The date and time (UTC) that the event was generated. |
| Description |
string |
The number of bytes sent from the source to the destination for the connection or session. |
| DetectionTechnology |
string |
Optional field to hold the alert threat detection technology. |
| DisplayName |
string |
The display name of the alert, this value is displayed to users either as-is or with additional parameters. |
| ExtendedProperties |
dynamic |
A bag of fields which will be presented to the user. Providers can send here any custom fields that should be part of the alert. |
| FirstActivityDateTime |
datetime |
The impact start time of the alert (the time of the first event or activity included in the alert). The field is serialized a string according to ISO8601, including UTC timezone information. |
| Id |
string |
A unique identifier for each Network Access Alert. |
| _IsBillable |
string |
Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| IsPreview |
bool |
IsPreview will be defined as true where the alert is in public preview state and not eligible for GA yet. By default the value is false. |
| LastActivityDateTime |
datetime |
The impact end time of the alert (the time of the last event or activity included in the alert). The field is serialized a string according to ISO8601, including UTC timezone information. |
| PolicyId |
string |
The Policy Id associated with the network access traffic that generated the Alert. |
| ProductName |
string |
The name of the product which published this alert, i.e. Azure Security Center, Azure ATP, Microsoft Defender ATP, O365 ATP, MCAS, etc. |
| RelatedResources |
dynamic |
A list of entities related to the alert. This list can hold a mixture of entities of diverse types. The entities type can be any of the types defined in the Entities section. Entities which are not in the list below can also be sent, however it is not guaranteed that they will be processed (the alert will not fail validation with new types of entities). |
| Severity |
string |
The severity of the alert as it is reported by the provider. Possible Values: Informational, Low, Medium, High. |
| SourceSystem |
string |
The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SubTechniques |
string |
Optional field that specify the kill chain related sub-techniques behind the alert. Each sub-technique should be added in this list using its ID and it should have at least one matching intent in the Intent field. |
| Techniques |
string |
Optional field that specify the kill chain related techniques behind the alert. Each technique should be added in this list using its ID and it should have at least one matching intent in the Intent field. The validation of this field (the expected format of the technique ID and the matching against the Intent values) follow MITRE att@ck enterprise matrix model (Opens in new window or tab), and further guidance on the different techniques that make up each intent can be found in MITRE's documentation. |
| TenantId |
string |
The Log Analytics workspace ID |
| TimeGenerated |
datetime |
The date and time (UTC) that the event was generated. |
| Type |
string |
The name of the table |
| VendorName |
string |
The name of the vendor that raised the alert, this value is displayed to users as is. For most internal security products alerts it should be set as 'Microsoft'. |