Share via

Defender for Cloud alerts exported to event hub, but the schema doesn't align with the documented alerts API .

Nisha Das 0 Reputation points
2024-03-21T11:02:21.0566667+00:00

I am reaching out regarding an issue we've encountered while exporting security alerts from Microsoft Defender for Cloud to Azure EventHub.Here are the details of the issue:

  • We are currently sending security alerts from Microsoft Defender for Cloud to Azure EventHub. However, we have noticed that the schema of these alerts does not match when we retrieve them from EventHubs using SDKs/APIs as mentioned in this doc [The alerts API]
  • Our understanding, based on this documentation, is that Defender for Cloud security alerts sent to EventHubs should adhere to the schema outlined in the alerts API documentation. Contrary to our expectations, the schema we observe from our console resembles the schema used for Log Analytics, but not exactly same.
  • To facilitate resolution, we have attached a sample log received from the EventHub for your reference.

We are uncertain whether our understanding is incorrect or if there might be a discrepancy in the documentation. We kindly request your assistance in clarifying this matter and providing guidance on how to ensure the consistency of the schema for security alerts exported to Azure EventHub. Also, wanted to know whether this behavior would be also true to all other customers or not. Your prompt attention to this request would be greatly appreciated.
Screenshot 2024-03-20 180406

Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
568 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,216 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sander van de Velde 29,691 Reputation points MVP
    2024-03-21T14:09:23.69+00:00

    Hello @Nisha Das,

    welcome to this moderated Azure community forum.

    It seems the format is different indeed. Perhaps the documentation is outdated?

    You can give feedback to his Microsoft documentation page using the feedback options:

    enter image description here

    One options brings you to the Share your Ideas page, the other brings you to GitHub to provide feedback there.

    If you are confident, you could edit the documentation page yourself using the edit button:

    enter image description here

    Then, there is a chance the author of the page contacts you with follow up questions.

    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.