| title | description | services | author | ms.service | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|
include file |
include file |
data-factory |
memildin |
data-factory |
include |
03/10/2020 |
memildin |
include file |
{
"VendorName": "Microsoft",
"AlertType": "SUSPECT_SVCHOST",
"StartTimeUtc": "2016-12-20T13:38:00.000Z",
"EndTimeUtc": "2019-12-20T13:40:01.733Z",
"ProcessingEndTime": "2019-09-16T12:10:19.5673533Z",
"TimeGenerated": "2016-12-20T13:38:03.000Z",
"IsIncident": false,
"Severity": "High",
"Status": "New",
"ProductName": "Azure Security Center",
"SystemAlertId": "2342409243234234_F2BFED55-5997-4FEA-95BD-BB7C6DDCD061",
"CompromisedEntity": "WebSrv1",
"Intent": "Execution",
"AlertDisplayName": "Suspicious process detected",
"Description": "Suspicious process named 'SVCHOST.EXE' was running from path: %{Process Path}",
"RemediationSteps": ["contact your security information team"],
"ExtendedProperties": {
"Process Path": "c:\\temp\\svchost.exe",
"Account": "Contoso\\administrator",
"PID": 944,
"ActionTaken": "Detected"
},
"Entities": [],
"ResourceIdentifiers": [
{
Type: "AzureResource",
AzureResourceId: "/subscriptions/86057C9F-3CDD-484E-83B1-7BF1C17A9FF8/resourceGroups/backend-srv/providers/Microsoft.Compute/WebSrv1"
},
{
Type: "LogAnalytics",
WorkspaceId: "077BA6B7-8759-4F41-9F97-017EB7D3E0A8",
WorkspaceSubscriptionId: "86057C9F-3CDD-484E-83B1-7BF1C17A9FF8",
WorkspaceResourceGroup: "omsrg",
AgentId: "5A651129-98E6-4E6C-B2CE-AB89BD815616",
}
]
}| Field | Data type | Description |
|---|---|---|
| AlertDisplayName | String | The display name of the alert. |
| AlertType | String | The type of alert. Alerts of the same type should have the same value. This field is a keyed string representing the type of alert and not of an alert instance. All alert instances from the same detection logic/analytic should have the same value for alert type. |
| CompromisedEntity | String | The display name of the resource most related to this alert. |
| Description | String | Description of the alert. |
| EndTimeUtc | DateTime | The time of the last event or activity included in the alert. The field should be a string that conforms to the ISO8601 format, including UTC timezone information. |
| Entities | IEnumerable (IEntity) | A list of entities related to the alert. This list can hold a mixture of entities of diverse types. The entities type can be any of the types defined in the Entities section. Entities that are not in the list below can also be sent, however it is not guaranteed that they will be processed (the alert will not fail validation with new types of entities). |
| ExtendedProperties | Dictionary (String,String) | Providers might (optionally) include custom fields here. |
| Intent | Enum | The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents, see Intentions. This field might have multiple values (separated by comma). |
| IsIncident | Bool | This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert. Default value for the field is 'false' (meaning it's a single alert). |
| ProcessingEndTime | DateTime | The time the alert was accessible to the end user in the original product holding the alert. |
| ProductName | String | The name of the product that published this alert (Azure Security Center, Azure ATP, Microsoft Defender ATP, O365 ATP, MCAS, and so on). |
| RemediationSteps | List | Manual action items to take to remediate the alert. |
| ResourceIdentifiers | List (Resource Identifiers) | The resource identifiers for this alert that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert. |
| Severity | Enum | The severity of the alert as reported by the provider. Possible Values: Informational, Low, Medium, and High. |
| StartTimeUtc | DateTime | The time of the first event or activity included in the alert. The field should be a string that conforms to the ISO8601 format, including UTC timezone information. |
| Status | Enum | The life-cycle status of the alert. Supported statuses are: New, Resolved, Dismissed, Unknown. An alert that specifies a value other than the supported options is assigned the status 'Unknown'. An alert that doesn't specify a value is assigned the status 'New'. |
| SystemAlertId | String | The alert identifier. |
| TimeGenerated | DateTime | The time the alert was generated by the alert provider. If not reported by internal alert providers, a product can choose to assign the time it was received for processing by the product. The field should be a string that conforms to the ISO8601 format, including UTC timezone information. |
| VendorName | String | The name of the vendor that raises the alert. |