Security alerts schemas

Users of Azure Security Center's standard tier receive security alerts when Security Center detects threats to their resources.

You can view these security alerts in Azure Security Center's Threat Protection pages, or through external tools such as:

If you're using any programmatic methods to consume the alerts, you'll need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hub or trying to trigger Workflow Automation with generic HTTP connectors, use the schemas to properly parse the JSON objects.

Important

The schema is slightly different for each of these scenarios, so make sure you select the relevant tab below.

The schemas

Sample JSON for alerts sent to Logic Apps, Event Hub, and third-party SIEMs

Below you'll find the schema of the alert events passed to:

  • Azure Logic App instances that were configured in Security Center's workflow automation
  • Azure Event Hub using Security Center's continuous export feature

For more information about the workflow automation feature, see Automate responses to alerts and recommendations. For more information about continuous export, see Export alerts and recommendations.

{
  "VendorName": "Microsoft",
  "AlertType": "SUSPECT_SVCHOST",
  "StartTimeUtc": "2016-12-20T13:38:00.000Z",
  "EndTimeUtc": "2019-12-20T13:40:01.733Z",
  "ProcessingEndTime": "2019-09-16T12:10:19.5673533Z",
  "TimeGenerated": "2016-12-20T13:38:03.000Z",
  "IsIncident": false,
  "Severity": "High",
  "Status": "New",
  "ProductName": "Azure Security Center",
  "SystemAlertId": "2342409243234234_F2BFED55-5997-4FEA-95BD-BB7C6DDCD061",
  "CompromisedEntity": "WebSrv1",
  "Intent": "Execution",
  "AlertDisplayName": "Suspicious process detected",
  "Description": "Suspicious process named 'SVCHOST.EXE' was running from path: %{Process Path}",
  "RemediationSteps": ["contact your security information team"],
  "ExtendedProperties": {
    "Process Path": "c:\\temp\\svchost.exe",
    "Account": "Contoso\\administrator",
    "PID": 944,
    "ActionTaken": "Detected"
  },
  "Entities": [],
  "ResourceIdentifiers": [
        {
            Type: "AzureResource",
            AzureResourceId: "/subscriptions/86057C9F-3CDD-484E-83B1-7BF1C17A9FF8/resourceGroups/backend-srv/providers/Microsoft.Compute/WebSrv1"
        },
        {
            Type: "LogAnalytics",
            WorkspaceId: "077BA6B7-8759-4F41-9F97-017EB7D3E0A8",
            WorkspaceSubscriptionId: "86057C9F-3CDD-484E-83B1-7BF1C17A9FF8",
            WorkspaceResourceGroup: "omsrg",
            AgentId: "5A651129-98E6-4E6C-B2CE-AB89BD815616",
        }
  ]
}

The data model of the schema

Field Data type Description
AlertDisplayName String The display name of the alert.
AlertType String The type of alert. Alerts of the same type should have the same value. This field is a keyed string representing the type of alert and not of an alert instance. All alert instances from the same detection logic/analytic should have the same value for alert type.
CompromisedEntity String The display name of the resource most related to this alert.
Description String Description of the alert.
EndTimeUtc DateTime The time of the last event or activity included in the alert. The field should be a string that conforms to the ISO8601 format, including UTC timezone information.
Entities IEnumerable (IEntity) A list of entities related to the alert. This list can hold a mixture of entities of diverse types. The entities type can be any of the types defined in the Entities section. Entities that are not in the list below can also be sent, however it is not guaranteed that they will be processed (the alert will not fail validation with new types of entities).
ExtendedProperties Dictionary (String,String) Providers might (optionally) include custom fields here.
Intent Enum The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents, see Intentions.
This field might have multiple values (separated by comma).
IsIncident Bool This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert. Default value for the field is 'false' (meaning it's a single alert).
ProcessingEndTime DateTime The time the alert was accessible to the end user in the original product holding the alert.
ProductName String The name of the product that published this alert (Azure Security Center, Azure ATP, Microsoft Defender ATP, O365 ATP, MCAS, and so on).
RemediationSteps List Manual action items to take to remediate the alert.
ResourceIdentifiers List (Resource Identifiers) The resource identifiers for this alert that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert.
Severity Enum The severity of the alert as reported by the provider. Possible Values: Informational, Low, Medium, and High.
StartTimeUtc DateTime The time of the first event or activity included in the alert. The field should be a string that conforms to the ISO8601 format, including UTC timezone information.
Status Enum The life-cycle status of the alert.
Supported statuses are: New, Resolved, Dismissed, Unknown.
An alert that specifies a value other than the supported options is assigned the status 'Unknown'.
An alert that doesn't specify a value is assigned the status 'New'.
SystemAlertId String The alert identifier.
TimeGenerated DateTime The time the alert was generated by the alert provider. If not reported by internal alert providers, a product can choose to assign the time it was received for processing by the product. The field should be a string that conforms to the ISO8601 format, including UTC timezone information.
VendorName String The name of the vendor that raises the alert.

Next steps

This article described the schemas that Azure Security Center's threat protection tools use when sending security alert information.

For more information on the ways to access security alerts from outside Security Center, see the following pages: