Alert interface
Security alert
- Extends
Properties
| alert |
The display name of the alert. |
| alert |
Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType). |
| alert |
A direct link to the alert page in Azure Portal. |
| compromised |
The display name of the resource most related to this alert. |
| correlation |
Key for corelating related alerts. Alerts with the same correlation key considered to be related. |
| description | Description of the suspicious activity that was detected. |
| end |
The UTC time of the last event or activity included in the alert in ISO8601 format. |
| entities | A list of entities related to the alert. |
| extended |
Links related to the alert |
| extended |
Custom properties for the alert. |
| intent | The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents. |
| is |
This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert. |
| processing |
The UTC processing end time of the alert in ISO8601 format. |
| product |
The name of Azure Security Center pricing tier which powering this alert. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing |
| product |
The name of the product which published this alert (Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office, Microsoft Defender for Cloud Apps, and so on). |
| remediation |
Manual action items to take to remediate the alert. |
| resource |
The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert. |
| severity | The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified. |
| start |
The UTC time of the first event or activity included in the alert in ISO8601 format. |
| status | The life cycle status of the alert. |
| sub |
Kill chain related sub-techniques behind the alert. |
| supporting |
Changing set of properties depending on the supportingEvidence type. |
| system |
Unique identifier for the alert. |
| techniques | kill chain related techniques behind the alert. |
| time |
The UTC time the alert was generated in ISO8601 format. |
| vendor |
The name of the vendor that raises the alert. |
| version | Schema version. |
Inherited Properties
| id | Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName} |
| name | The name of the resource |
| system |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
| type | The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
Property Details
alertDisplayName
The display name of the alert.
alertDisplayName?: stringProperty Value
string
alertType
Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType).
alertType?: stringProperty Value
string
alertUri
A direct link to the alert page in Azure Portal.
alertUri?: stringProperty Value
string
compromisedEntity
The display name of the resource most related to this alert.
compromisedEntity?: stringProperty Value
string
correlationKey
Key for corelating related alerts. Alerts with the same correlation key considered to be related.
correlationKey?: stringProperty Value
string
description
Description of the suspicious activity that was detected.
description?: stringProperty Value
string
endTimeUtc
The UTC time of the last event or activity included in the alert in ISO8601 format.
endTimeUtc?: DateProperty Value
Date
entities
extendedLinks
Links related to the alert
extendedLinks?: Record<string, string>[]Property Value
Record<string, string>[]
extendedProperties
Custom properties for the alert.
extendedProperties?: Record<string, string>Property Value
Record<string, string>
intent
The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.
intent?: stringProperty Value
string
isIncident
This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert.
isIncident?: booleanProperty Value
boolean
processingEndTimeUtc
The UTC processing end time of the alert in ISO8601 format.
processingEndTimeUtc?: DateProperty Value
Date
productComponentName
The name of Azure Security Center pricing tier which powering this alert. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing
productComponentName?: stringProperty Value
string
productName
The name of the product which published this alert (Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office, Microsoft Defender for Cloud Apps, and so on).
productName?: stringProperty Value
string
remediationSteps
Manual action items to take to remediate the alert.
remediationSteps?: string[]Property Value
string[]
resourceIdentifiers
The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert.
resourceIdentifiers?: ResourceIdentifierUnion[]Property Value
severity
The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.
severity?: stringProperty Value
string
startTimeUtc
The UTC time of the first event or activity included in the alert in ISO8601 format.
startTimeUtc?: DateProperty Value
Date
status
The life cycle status of the alert.
status?: stringProperty Value
string
subTechniques
Kill chain related sub-techniques behind the alert.
subTechniques?: string[]Property Value
string[]
supportingEvidence
Changing set of properties depending on the supportingEvidence type.
supportingEvidence?: AlertPropertiesSupportingEvidenceProperty Value
systemAlertId
Unique identifier for the alert.
systemAlertId?: stringProperty Value
string
techniques
kill chain related techniques behind the alert.
techniques?: string[]Property Value
string[]
timeGeneratedUtc
The UTC time the alert was generated in ISO8601 format.
timeGeneratedUtc?: DateProperty Value
Date
vendorName
The name of the vendor that raises the alert.
vendorName?: stringProperty Value
string
version
Schema version.
version?: stringProperty Value
string
Inherited Property Details
id
Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
id?: stringProperty Value
string
Inherited From ProxyResource.id
name
systemData
Azure Resource Manager metadata containing createdBy and modifiedBy information.
systemData?: SystemDataProperty Value
Inherited From ProxyResource.systemData
type
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
type?: stringProperty Value
string
Inherited From ProxyResource.type
