Security alerts schemas
If your subscription has enhanced security features enabled, you'll receive security alerts when Defender for Cloud detects threats to their resources.
- Microsoft Sentinel - Microsoft's cloud-native SIEM. The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the Log Analytics workspace for Microsoft Sentinel.
- Third-party SIEMs - Send data to Azure Event Hubs. Then integrate your Event Hub data with a third-party SIEM. Learn more in Stream alerts to a SIEM, SOAR, or IT Service Management solution.
- The REST API - If you're using the REST API to access alerts, see the online Alerts API documentation.
If you're using any programmatic methods to consume the alerts, you'll need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hub or trying to trigger Workflow Automation with generic HTTP connectors, use the schemas to properly parse the JSON objects.
The schema is slightly different for each of these scenarios, so make sure you select the relevant tab below.
The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the Log Analytics Workspace for Microsoft Sentinel.
To create a Microsoft Sentinel case or incident using Defender for Cloud alerts, you'll need the schema for those alerts shown below.
Learn more in the Microsoft Sentinel documentation.
The data model of the schema
|AlertName||Alert display name|
|AlertType||unique alert identifier|
|ConfidenceLevel||(Optional) The confidence level of this alert (High/Low)|
|ConfidenceScore||(Optional) Numeric confidence indicator of the security alert|
|Description||Description text for the alert|
|DisplayName||The alert's display name|
|EndTime||The impact end time of the alert (the time of the last event contributing to the alert)|
|Entities||A list of entities related to the alert. This list can hold a mixture of entities of diverse types|
|ExtendedLinks||(Optional) A bag for all links related to the alert. This bag can hold a mixture of links for diverse types|
|ExtendedProperties||A bag of additional fields which are relevant to the alert|
|IsIncident||Determines if the alert is an incident or a regular alert. An incident is a security alert that aggregates multiple alerts into one security incident|
|ProcessingEndTime||UTC timestamp in which the alert was created|
|ProductComponentName||(Optional) The name of a component inside the product which generated the alert.|
|ProductName||constant ('Azure Security Center')|
|RemediationSteps||Manual action items to take to remediate the security threat|
|ResourceId||Full identifier of the affected resource|
|Severity||The alert severity (High/Medium/Low/Informational)|
|SourceComputerId||a unique GUID for the affected server (if the alert is generated on the server)|
|StartTime||The impact start time of the alert (the time of the first event contributing to the alert)|
|SystemAlertId||Unique identifier of this security alert instance|
|TenantId||the identifier of the parent Azure Active directory tenant of the subscription under which the scanned resource resides|
|TimeGenerated||UTC timestamp on which the assessment took place (Security Center's scan time) (identical to DiscoveredTimeUTC)|
|VendorName||The name of the vendor that provided the alert (e.g. 'Microsoft')|
|WorkspaceResourceGroup||in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace resource group name|
|WorkspaceSubscriptionId||in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace subscriptionId|
This article described the schemas that Microsoft Defender for Cloud's threat protection tools use when sending security alert information.
For more information on the ways to access security alerts from outside Defender for Cloud, see:
- Microsoft Sentinel - Microsoft's cloud-native SIEM
- Azure Event Hubs - Microsoft's fully managed, real-time data ingestion service
- Continuously export Defender for Cloud data
- Log Analytics workspaces - Azure Monitor stores log data in a Log Analytics workspace, a container that includes data and configuration information