Security alerts schemas

If your subscription has Defender for Cloud Defender plans enabled, you'll receive security alerts when Defender for Cloud detects threats to their resources.

You can view these security alerts in Microsoft Defender for Cloud's pages - overview dashboard, alerts, resource health pages, or workload protections dashboard - and through external tools such as:

If you're using any programmatic methods to consume the alerts, you'll need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hub or trying to trigger Workflow Automation with generic HTTP connectors, use the schemas to properly parse the JSON objects.


The schema is slightly different for each of these scenarios, so make sure you select the relevant tab below.

The schemas

The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the Log Analytics Workspace for Microsoft Sentinel.

To create a Microsoft Sentinel case or incident using Defender for Cloud alerts, you'll need the schema for those alerts shown below.

Learn more in the Microsoft Sentinel documentation.

The data model of the schema

Field Description
AlertName Alert display name
AlertType unique alert identifier
ConfidenceLevel (Optional) The confidence level of this alert (High/Low)
ConfidenceScore (Optional) Numeric confidence indicator of the security alert
Description Description text for the alert
DisplayName The alert's display name
EndTime The impact end time of the alert (the time of the last event contributing to the alert)
Entities A list of entities related to the alert. This list can hold a mixture of entities of diverse types
ExtendedLinks (Optional) A bag for all links related to the alert. This bag can hold a mixture of links for diverse types
ExtendedProperties A bag of additional fields which are relevant to the alert
IsIncident Determines if the alert is an incident or a regular alert. An incident is a security alert that aggregates multiple alerts into one security incident
ProcessingEndTime UTC timestamp in which the alert was created
ProductComponentName (Optional) The name of a component inside the product which generated the alert.
ProductName constant ('Azure Security Center')
ProviderName unused
RemediationSteps Manual action items to take to remediate the security threat
ResourceId Full identifier of the affected resource
Severity The alert severity (High/Medium/Low/Informational)
SourceComputerId a unique GUID for the affected server (if the alert is generated on the server)
SourceSystem unused
StartTime The impact start time of the alert (the time of the first event contributing to the alert)
SystemAlertId Unique identifier of this security alert instance
TenantId the identifier of the parent Azure Active directory tenant of the subscription under which the scanned resource resides
TimeGenerated UTC timestamp on which the assessment took place (Security Center's scan time) (identical to DiscoveredTimeUTC)
Type constant ('SecurityAlert')
VendorName The name of the vendor that provided the alert (e.g. 'Microsoft')
VendorOriginalId unused
WorkspaceResourceGroup in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace resource group name
WorkspaceSubscriptionId in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace subscriptionId

Next steps

This article described the schemas that Microsoft Defender for Cloud's threat protection tools use when sending security alert information.

For more information on the ways to access security alerts from outside Defender for Cloud, see: