Customize alert details in Microsoft Sentinel

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

Introduction

When you define a name and description for your scheduled analytics rules, and you assign them severities and MITRE ATT&CK tactics, all alerts generated by a particular rule - and all incidents created as a result - will be displayed with the same name, description, and so on, without regard to the particular content of a specific instance of the alert.

With the alert details feature, you can tailor an alert's appearance to its content. Here you can select parameters in your alert that can be represented in the name or description of each instance of the alert, or that can contain the tactics and severity assigned to that instance of the alert. If the selected parameter has no value (or an invalid value in the case of tactics and severity), the alert details will revert to the defaults specified in the first page of the wizard.

The procedure detailed below is part of the analytics rule creation wizard. It's treated here independently to address the scenario of adding or changing alert details in an existing analytics rule.

How to customize alert details

  1. From the Microsoft Sentinel navigation menu, select Analytics.

  2. Select a scheduled query rule and click Edit. Or create a new rule by clicking Create > Scheduled query rule at the top of the screen.

  3. Click the Set rule logic tab.

  4. In the Alert enrichment section, expand Alert details.

    Customize alert details

  5. In the now-expanded Alert details section, add free text that includes parameters corresponding to the details you want to display in the alert:

    1. In the Alert Name Format field, enter the text you want to appear as the name of the alert (the alert text), and include, in double curly brackets, any parameters you want to be part of the alert text.

      Example: Alert from {{ProviderName}}: {{AccountName}} failed to log on to computer {{ComputerName}}.

    2. Do the same with the Alert Description Format field.

      Note

      You are currently limited to three parameters each in the Alert Name Format and Alert Description Format fields.

    3. Use the Tactic Column and Severity Column fields only if your query results contain columns with this information in them. For each one, choose the column that contains the corresponding information.

    If you change your mind, or if you made a mistake, you can remove an alert detail by clicking the trash can icon next to the Tactic/Severity Column fields or delete the free text from the Alert Name/Description Format fields.

  6. When you have finished customizing your alert details, continue to the next tab in the wizard. If you're editing an existing rule, click the Review and create tab. Once the rule validation is successful, click Save.

Next steps

In this document, you learned how to customize alert details in Microsoft Sentinel analytics rules. To learn more about Microsoft Sentinel, see the following articles: