Microsoft Defender for Cloud Alert
Microsoft Defender for Cloud is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions except the following: - US Department of Defense (DoD) |
| Contact | |
|---|---|
| Name | Microsoft |
| URL | Microsoft LogicApps Support |
| Connector Metadata | |
|---|---|
| Publisher | Microsoft |
| learn more> | https://docs.microsoft.com/connectors/ascalert |
| Website | https://azure.microsoft.com/services/security-center/ |
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Triggers
| When a Microsoft Defender for Cloud alert is created or triggered |
Triggers when an alert is created in Microsoft Defender for Cloud and matches the evaluation criteria configured in an automation, or when manually run on a specific alert. Note: automated running of this trigger requires enabling automation in Microsoft Defender for Cloud and enabling a workload protection plan as a preliminary step. To do so, visit Microsoft Defender for Cloud. |
When a Microsoft Defender for Cloud alert is created or triggered
Triggers when an alert is created in Microsoft Defender for Cloud and matches the evaluation criteria configured in an automation, or when manually run on a specific alert. Note: automated running of this trigger requires enabling automation in Microsoft Defender for Cloud and enabling a workload protection plan as a preliminary step. To do so, visit Microsoft Defender for Cloud.
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Alert Uri
|
AlertUri | string |
A direct link to view the alert with all its details in Microsoft Defender for Cloud in the Azure portal. |
|
Alert Display Name
|
AlertDisplayName | string |
The display name of the alert, this value is displayed to users either as-is or with additional parameters. (for examples for place holders formatting see in Notes Section). It is advised not to put place holders in the AlertDisplayName field and have the same value for all alerts sharing the same AlertType value, since alerts can be aggregated according to the AlertType field and shown to end users as such. |
|
Alert Type
|
AlertType | string |
The type name of the alert. Alerts of the same type should have the same name. This field is a keyed string representing the category or type of the alert and not of an alert instance. All alert instances from the same detection logic/analytic should share the same value for alert type. |
|
Compromised Entity
|
CompromisedEntity | string |
Display name of the main entity being reported on. This field is presented to the user AS-IS and is not required to conform to any format. It could hold computer, ip addresses, VMs or anything that the alert provider decides to present. |
|
Description
|
Description | string |
Alert description, might have parameters placeholders (for examples for place holders formatting see in Notes Section) |
|
End Time (UTC)
|
EndTimeUtc | date-time |
The impact end time of the alert (the time of the last event contributing to the alert). |
|
Intent
|
Intent | string |
Optional field that specify the kill chain related intent behind the alert. For list of supported values is in the section Kill Chain Intent enumeration. Multiple values can be selected in this field. The JSON format for this field should serialize the enumeration values as strings. Multiple values should be separated by comma, e.g. Probing, Exploitation. |
|
Product Name
|
ProductName | string |
The name of the product which published this alert, i.e. ASC, WDATP, MCAS. |
|
Severity
|
Severity | string |
The severity of the alert as it is reported by the provider. Possible Values: Informational (a.k.a Silent), Low, Medium, High |
|
Start Time (UTC)
|
StartTimeUtc | date-time |
The impact start time of the alert (the time of the first event contributing to the alert). |
|
System Alert Id
|
SystemAlertId | string |
Holds the product identifier of the alert for the product. This is the alert identifier which is usually also available externally to query alerts by customers or external systems. Alert publisher which are internal to a product should use the ProviderAlertId field in order to report any identifier to be used in a scope of a single product. |
|
Time Generated (UTC)
|
TimeGenerated | date-time |
The time the alert was generated. This time should contain the time it was generated by the alert provider, if missing the system will assign to it the time it was received for processing. |
|
Vendor Name
|
VendorName | string |
The name of the vendor that raise the alert, this value is displayed to users as is, i.e. Microsoft or Deep Security Agent or Microsoft Antimalware etc. |
|
Entities
|
Entities | array of object |
A list of entities related to the alert. This list can hold a mixture of entities of diverse types. The entities type can be any of the types defined in the Entitiessection. Entities which are not in the list below can also be send, however we dont guarantee that they will be processed (however the alert will not fail validation). Cannot be set to null (will be set to empty enumerable instead). |
|
Extended Links
|
ExtendedLinks | array of object |
A bag for all links related to the alert. This bag can hold a mixture of links for diverse types. Links which are not in the list below can also be send, however we dont guarantee that they will be processed (however the alert will not fail validation). Cannot be set to null (will be set to empty enumerable instead) |
|
Remediation Steps
|
RemediationSteps | array of string |
Manual action items to take to remediate the alert. Might have parameters placeholders. (for examples for place holders formatting see in Notes Section). |
|
Resource Identifiers
|
ResourceIdentifiers | array of object |
The resource identifiers for this alert which can be used to direct the alert to the right product exposure group (workspace, subscription etc.). There can be multiple identifiers of different type per alert. See Resource Identifiers for more details. |