Microsoft Sentinel security alert schema reference
Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.
Microsoft Sentinel analytics rules create incidents as the result of security alerts. Security alerts can come from different sources, and accordingly use different kinds of analytics rules to create incidents:
Scheduled analytics rules generate alerts as the result of their regular queries of data in logs ingested from external sources, and those same rules create incidents from those alerts. (For the purposes of this document, "scheduled" rule alerts include NRT rule alerts.)
Microsoft Security analytics rules create incidents from alerts that are ingested as-is from other Microsoft security products, for example, Microsoft 365 Defender and Microsoft Defender for Cloud.
Regardless of the source, these alerts are all stored together in the SecurityAlert table in your Log Analytics workspace. This article describes the schema of this table.
Because alerts come from many sources, not all fields are used by all providers. Some fields may be left blank.
|AlertLink||string||A link to the alert in the portal of the originating product.|
|AlertName||string||The display name of the alert.
|AlertSeverity||string||The severity of the alert. [Informational / Low / Medium / High]|
|AlertType||string||The type of alert.
|CompromisedEntity||string||The display name of the main entity being alerted on.|
|ConfidenceLevel||string||The confidence level of this alert: how sure the provider is that this is not a false positive.|
|ConfidenceScore||real||The confidence score of the alert, on a scale of 0.0-1.0, if applicable. This property allows for a more fine-grained representation of the confidence level of the alert compared to the ConfidenceLevel field.|
|Description||string||The description of the alert.|
|DisplayName||string||The display name of the alert. Synonymous with AlertName but retained for compatibility.|
|EndTime||datetime||The end time of the impact of the alert.
|Entities||string||A list of the entities identified in the alert. This list can include a combination of entities of different types. The entities' types can be any of those defined in the schema, as described in the entities documentation.|
|ExtendedLinks||string||A bag (a collection) for all links related to the alert. This bag can include a combination of links of different types.|
|ExtendedProperties||string||A collection of other properties of the alert, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here.|
|IsIncident||boolean||DEPRECATED. Always set to false.|
|ProcessingEndTime||datetime||The time of the alert's publishing.
|ProductComponentName||string||The name of the component of the product that generated the alert.|
|ProductName||string||The name of the product that generated the alert.|
|ProviderName||string||The name of the alert provider (the service within the product) that generated the alert.|
|RemediationSteps||string||A list of action items to take to remediate the alert.|
|ResourceId||string||A unique identifier for the resource that is the subject of the alert.|
|SourceComputerId||string||DEPRECATED. Was the agent ID on the server that created the alert.|
|SourceSystem||string||DEPRECATED. Always populated with the string "Detection".|
|StartTime||datetime||The start time of the impact of the alert.
|Status||string||The status of the alert within the life cycle. [New / InProgress / Resolved / Dismissed / Unknown]|
|SystemAlertId||string||The internal unique ID for the alert in Microsoft Sentinel.|
|Tactics||string||A comma-delineated list of MITRE ATT&CK tactics associated with the alert.|
|Techniques||string||A comma-delineated list of MITRE ATT&CK techniques associated with the alert.|
|TenantId||string||The unique ID of the tenant.|
|TimeGenerated||datetime||The time the alert was generated (in UTC).|
|Type||string||The constant ('SecurityAlert')|
|VendorName||string||The vendor of the product that produced the alert.|
|VendorOriginalId||string||Unique ID for the specific alert instance, set by the originating product.|
Learn more about security alerts and analytics rules:
Submit and view feedback for