Edit

Share via

AggregatedSecurityAlert

  • Article

Alerts that were generated by security products and were aggregated from a partner.

Table attributes

Attribute Value
Resource types microsoft.securityinsights/securityinsights
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation No
Sample Queries Yes

Columns

Column Type Description
AggregatedSecurityAlertRuleIds string IDs assigned to the aggregated security data sharing rules by Sentinel.
AggregatedSecurityAlertRuleNames string The names of the aggregated security data sharing rules.
AlertName string The name of the alert.
AlertSeverity string The sevirity of the alert.
AlertType string The type name of the alert.
_BilledSize real The record size in bytes
CompromisedEntity string Display name of the main entity being reported on.
ConfidenceLevel string The level of confidence that the alert is not a false-positive.
ConfidenceScore real The level of confidence that the alert is not a false-positive. This property allows for more fined grained representation, represented by a number between 0 and 1 (inclusive).
Description string The description of the alert.
DisplayName string The name of the alert.
EndTime datetime The end time of the impact of the alert.
Entities string A list of entities related to the alert. This list can hold a mixture of entities of different types.
ExtendedLinks string A set of link objects the can provide additional data on the alert.
ExtendedProperties string Additional data about the alert.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
PartnerDisplayName string Name of the partner who sent the alert.
PartnerId string An ID assigned to the partner who sent the alert.
PartnerMetadata string Metadata about the partner who sent the alert.
ProcessingEndTime datetime The time the alert was received for processing.
ProductComponentName string The name of a component inside the product which generated the alert.
ProductName string The name of the product that generated the alert.
ProviderName string The name of the provider that generated the alert.
RemediationSteps string Action items to take to remediate the alert.
_ResourceId string A unique identifier for the resource that the record is associated with
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
StartTime datetime The start time of the impact of the alert.
Status string The lifecycle status of the alert (new, in progress, closed).
_SubscriptionId string A unique identifier for the subscription that the record is associated with
SubTechniques string A list of adversary MITRE ATT&CK sub techniques involved in this security issue.
SystemAlertId string An ID assigned to the alert by Sentinel.
Tactics string A list of adversary MITRE ATT&CK tactics involved in this security issue.
Techniques string A list of adversary MITRE ATT&CK techniques involved in this security issue.
TenantId string The Log Analytics workspace ID
TimeGenerated datetime The timestamp (UTC) of when the alert was generated.
Type string The name of the table
VendorName string The name of the vendor owning the provider that generated the alert.
VendorOriginalId string An ID assigned to the alert by the vendor, to help track down the alert in the original system.