Customize alert details in Microsoft Sentinel

This article explains how to override the default properties of alerts with content from the underlying query results.

In the process of creating a scheduled analytics rule, as the first step you define a name and description for the rule, and you assign it a severity and MITRE ATT&CK tactics. All alerts generated by a given rule - and all incidents created as a result - will inherit the name, description, severity, and tactics defined in the rule, without regard to the particular content of a specific instance of the alert.

With the alert details feature, you can override these and other default properties of alerts in two ways:

  • Create custom, variable names and descriptions for your alerts. You can select fields in your alert's query output whose contents can be included in the name or description of each instance of the alert. If the selected field has no value in a given instance, the alert details for that instance will revert to the defaults specified in the first page of the wizard.

  • Customize the severity, tactics, and other properties of a given instance of an alert (see the full list of properties below) with the values of any relevant fields from the query output. If the selected fields are empty or have values that don't match the field data type, the respective alert properties will revert to their defaults (for tactics and severity, those specified in the first page of the wizard).

Important

Some alert details' customizability (see those so indicated below) are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Follow the procedure detailed below to use the alert details feature. These steps are part of the analytics rule creation wizard, but they're addressed here independently to address the scenario of adding or changing alert details in an existing analytics rule.

How to customize alert details

  1. From the Microsoft Sentinel navigation menu, select Analytics.

  2. Select a scheduled query rule and select Edit. Or create a new rule by selecting Create > Scheduled query rule at the top of the screen.

  3. Select the Set rule logic tab.

  4. In the Alert enrichment section, expand Alert details.

    Customize alert details

  5. In the now-expanded Alert details section, add free text that includes properties corresponding to the details you want to display in the alert:

    1. In the Alert Name Format field, enter the text you want to appear as the name of the alert (the alert text), and include, in double curly brackets, any query output fields you want to be part of the alert text.

      Example: Alert from {{ProviderName}}: {{AccountName}} failed to sign in to computer {{ComputerName}}.

    2. Do the same with the Alert Description Format field.

      Note

      You are currently limited to three parameters each in the Alert Name Format and Alert Description Format fields.

    3. To override other default properties, select an alert property from the Alert property drop-down list. Then select the field from the query results, whose contents you want to populate the alert property, from the Value drop-down list.

    4. To override more default properties, select + Add new and repeat the previous step.

      The following alert properties can be overridden:

      • AlertName
      • Description
      • AlertSeverity
      • Tactics
      • Techniques (Preview)
      • AlertLink (Preview)
      • ConfidenceLevel (Preview)
      • ConfidenceScore (Preview)
      • ExtendedLinks (Preview)
      • ProductComponentName (Preview)
      • ProductName (Preview)
      • ProviderName (Preview)
      • RemediationSteps (Preview)

    If you change your mind, or if you made a mistake, you can remove an alert detail by clicking the trash can icon next to the Alert property/Value pair, or delete the free text from the Alert Name/Description Format fields.

  6. When you have finished customizing your alert details, if you're now creating the rule, continue to the next tab in the wizard. If you're editing an existing rule, select the Review and create tab. Once the rule validation is successful, select Save.

Next steps

In this document, you learned how to customize alert details in Microsoft Sentinel analytics rules. To learn more about Microsoft Sentinel, see the following articles: