Second draft, plus TOC

yelevin · yelevin · commit 08060064eab9 · 2022-01-11T15:36:02.000+02:00
diff --git a/articles/sentinel/TOC.yml b/articles/sentinel/TOC.yml
@@ -320,6 +320,8 @@
     items:
     - name: Data source schema reference
       href: data-source-schema-reference.md
+    - name: Security alert schema reference
+      href: security-alert-schema.md
     - name: CEF log field mapping
       href: cef-name-mapping.md
     - name: Normalization
diff --git a/articles/sentinel/security-alert-schema.md b/articles/sentinel/security-alert-schema.md
@@ -6,7 +6,7 @@ cloud: na
 documentationcenter: na
 author: yelevin
 ms.topic: reference
-ms.date: 11/17/2021
+ms.date: 01/11/2022
 ms.author: yelevin
 
 ---
@@ -15,46 +15,55 @@ ms.author: yelevin
 
 [!INCLUDE [Banner for top of topics](./includes/banner.md)]
 
-This article lists supported Azure and third-party data source schemas, with links to their reference documentation.
+Microsoft Sentinel [analytics rules](detect-threats-built-in.md) create incidents as the result of **security alerts**. Security alerts can come from different sources, and accordingly use different kinds of analytics rules to create incidents:
+
+- **Scheduled** analytics rules generate alerts as the result of their regular queries of data in logs ingested from external sources, and those same rules create incidents from those alerts. (For the purposes of this document, "scheduled" rule alerts include **NRT rule alerts**.)
+
+- **Microsoft Security** analytics rules create incidents from alerts that are ingested as-is from other Microsoft security products, for example, Microsoft 365 Defender and Microsoft Defender for Cloud.
+
+Regardless of the source, these alerts are all stored together in the *SecurityAlert* table in your Log Analytics workspace. This article describes the schema of this table.
+
+Because alerts come from many sources, not all fields are used by all providers. Some fields may be left blank.
 
 ## Schema definitions
 
-| Column Name | Type | Descrption | Yechiel's Comments |
+| Column Name | Type | Description | *Questions* |
 | --- | --- | --- | --- |
-| **AlertLink** | string | Link to the alert in the portal of the originating product. |  |
-| **AlertName** | string | Display name of the alert. For scheduled rules, it will be taken from the rule name. | ASC wanted to deprecate one (display and alert name) but left the 2 <br>For non-scheduled rules, what will this say? |
-| **AlertSeverity** | string | Severity of the alert (informational, low, medium, high). |  |
-| **AlertType** | string | The type of alert. Alerts of the same type should have the same name. For scheduled rules, this will be populated by the rule ID. | For other rule types, what is this? The alert type (anomaly, NRT, Microsoft Security, etc.)? |
-| **CompromisedEntity** | string | Display name of the main entity being alerted on. |  |
-| **ConfidenceLevel** | string | The confidence level of this alert: how sure the provider is that this is not a false positive. |  |
-| **ConfidenceScore** | real | The confidence score of the alert, if applicable. This property allows for a more fine-grained representation of the confidence level of the alert compared to the ConfidenceLevel field. Valid values are in the range of 0.0-1.0 (inclusive). |  |
-| **Description** | string | The description of the alert. |  |
-| **DisplayName** | string | Display name of the alert. For scheduled rules   it will be taken from the rule name. | ASC wanted to deprecate one (display and alert name) but left the 2 |
-| **EndTime** | datetime | The end time of the impact of the alert (the time of the last event or activity included in the alert). For scheduled rule alerts, this is the value of the TimeGenerated field for the last event captured by the query. |  |
-| **Entities** | string | A list of entities related to the alert. This list can include a combination of entities of different types. The entities' types can be any of those defined in the [documentation](entities-reference.md). |  |
-| **ExtendedLinks** | string | A bag (a collection) for all links related to the alert. This bag can include a combination of links of different types. |  |
-| **ExtendedProperties** | string | A collection of other properties of the alert, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here. |  |
-| **IsIncident** | boolean | DEPRECATED. Will always be set to *false*. | was used before for ASC they had Alert (incident) and alert  |
-| **ProcessingEndTime** | datetime | The time of the alert's publishing. For scheduled rule alerts, this is the value of the TimeGenerated field. |  |
-| **ProductComponentName** | string | The name of the component of the product that generated the alert. |  |
-| **ProductName** | string | The name of the product that published the alert. |  |
-| **ProviderName** | string | The name of the alert provider ***------------------(e.g. Scheduled alert - ASI Scheduled Alerts, NRT - ASI NRT Alerts, Azure defender - Azure Security Center)------------------*** | This needs to be better differentiated from ProductName. Maybe a footnote (or a cross-reference) explaining what an alert provider is? |
-| **RemediationSteps** | string | Manual action items to take to remediate the alert. |  |
-| **ResourceId** | string | A unique identifier for the resource that the alert is associated with. |  |
-| **SourceComputerId** | string | DEPRECATED. Was the agent ID that created the alert. |  |
-| **SourceSystem** | string | DEPRECATED. Will always be populated with the string "Detection". | Not to document? Because deprecated? |
-| **StartTime** | datetime | The start time of the impact of the alert (the time of the first event or activity included in the alert). For scheduled rule alerts, this is the value of the TimeGenerated field for the first event captured by the query. |  |
-| **Status** | string | The status of the alert within the life cycle. [New / InProgress / Resolved / Dismissed / Unknown] |  |
-| **SystemAlertId** | string | Internal unique ID for the alert in Sentinel. |  |
-| **Tactics** | string | MITRE tactics associated with the alert, in comma-separated list form. |  |
-| **TenantId** | string | Unique ID of the tenant. | Not to document |
-| **TimeGenerated** | datetime | The time the alert was generated (in UTC). |  |
-| **Type** | string | The name of the table. |  |
-| **VendorName** | string | The vendor of the product that produces the alert. | Is this ever anything besides the manufacturer of ProductName/ProviderName? |
-| **VendorOriginalId** | string | Unique id for the specific alert instance set by the provider. |  |
-| **WorkspaceResourceGroup** | string | The Azure resource group for the Log Analytics workspace storing this alert | DEPRECATED |
-| **WorkspaceSubscriptionId** | string | The Azure subscription ID for the Log Analytics workspace storing this alert | DEPRECATED |
-|  |  |  |  |
+| **AlertLink** | string | A link to the alert in the portal of the originating product. |
+| **AlertName** | string | The display name of the alert. <ul><li>**Scheduled rule alerts:** taken from the rule name.<li>**Ingested alerts:** the display name of the alert in the originating product. | Check for correctness |
+| **AlertSeverity** | string | The severity of the alert. [Informational / Low / Medium / High] |
+| **AlertType** | string | The type of alert. <ul><li>**Scheduled rule alerts:** taken from the rule ID.<li>**Ingested alerts:** some products group their alerts by type. In some cases, may be identical to or synonymous with the product name. | Check for correctness |
+| **CompromisedEntity** | string | The display name of the main entity being alerted on. |
+| **ConfidenceLevel** | string | The confidence level of this alert: how sure the provider is that this is not a false positive. |
+| **ConfidenceScore** | real | The confidence score of the alert, on a scale of 0.0-1.0, if applicable. This property allows for a more fine-grained representation of the confidence level of the alert compared to the ConfidenceLevel field. |
+| **Description** | string | The description of the alert. |
+| **DisplayName** | string | The display name of the alert. Synonymous with **AlertName** but retained for compatibility. | Check for correctness |
+| **EndTime** | datetime | The end time of the impact of the alert. <ul><li>**Scheduled rule alerts:** the value of the TimeGenerated field for the last *event* captured by the query.<li>**Ingested alerts:** the time of the last event or activity included in the alert. | Check for correctness |
+| **Entities** | string | A list of the entities identified in the alert. This list can include a combination of entities of different types. The entities' types can be any of those defined in the schema, as described in the [entities documentation](entities-reference.md). | Can entities be identified in ingested alerts, or only in scheduled alerts that have entity mapping? |
+| **ExtendedLinks** | string | A bag (a collection) for all links related to the alert. This bag can include a combination of links of different types. |
+| **ExtendedProperties** | string | A collection of other properties of the alert, including user-defined properties. Any [custom details](surface-custom-details-in-alerts.md) defined in the alert, and any dynamic content in the [alert details](customize-alert-details.md), are stored here. |  |
+| **IsIncident** | boolean | DEPRECATED. Always set to *false*. |
+| **ProcessingEndTime** | datetime | The time of the alert's publishing. For scheduled rule alerts, this is the value of the TimeGenerated field. | For ingested alerts, what is it? The ingestion time? How is it differentiated from *TimeGenerated*? |
+| **ProductComponentName** | string | The name of the component of the product that generated the alert. | Example of how this is different than *ProviderName*? |
+| **ProductName** | string | The name of the product that generated the alert. |
+| **ProviderName** | string | The name of the alert provider - the service within the product - that generated the alert. | Example of how this is different than *ProductComponentName*? |
+| **RemediationSteps** | string | A list of action items to take to remediate the alert. |
+| **ResourceId** | string | A unique identifier for the resource that is the subject of the alert. |
+| **SourceComputerId** | string | DEPRECATED. Was the agent ID on the server that created the alert. |
+| **SourceSystem** | string | DEPRECATED. Always populated with the string "Detection". |
+| **StartTime** | datetime | The start time of the impact of the alert. <ul><li>**Scheduled rule alerts:** the value of the *TimeGenerated* field for the first *event* captured by the query.<li>**Ingested alerts:** the time of the first event or activity included in the alert. | Check for correctness |
+| **Status** | string | The status of the alert within the life cycle. [New / InProgress / Resolved / Dismissed / Unknown] |
+| **SystemAlertId** | string | The internal unique ID for the alert in Microsoft Sentinel. |
+| **Tactics** | string | A comma-delineated list of MITRE ATT&CK tactics associated with the alert. |
+| **Techniques** | string | A comma-delineated list of MITRE ATT&CK techniques associated with the alert. |
+| **TenantId** | string | The unique ID of the tenant. |
+| **TimeGenerated** | datetime | The time the alert was generated (in UTC). | Also for ingested alerts? Or is it the ingestion time for those? |
+| **Type** | string | The constant ('SecurityAlert') | Check for correctness |
+| **VendorName** | string | The vendor of the product that produced the alert. |
+| **VendorOriginalId** | string | Unique ID for the specific alert instance, set by the originating product. |
+| **WorkspaceResourceGroup** | string | DEPRECATED. Was the Azure resource group of the Log Analytics workspace containing the resource that generated the alert. | Check for correctness |
+| **WorkspaceSubscriptionId** | string | DEPRECATED. Was the Azure subscription ID of the Log Analytics workspace containing the resource that generated the alert | Check for correctness |
+|  |  |  |
 
 ## Next steps
 
