Merge pull request #219438 from yelevin/yelevin/dynamic-alert-properties

Customize more alert details

Author: v-ccolin

articles/sentinel/customize-alert-details.md

@@ -3,51 +3,73 @@ title: Customize alert details in Microsoft Sentinel | Microsoft Docs
 description: Customize how alerts are named and described, along with their severity and assigned tactics, based on the alerts' content.
 author: yelevin
 ms.topic: how-to
-ms.date: 04/26/2022
+ms.date: 11/23/2022
 ms.author: yelevin
-ms.custom: ignite-fall-2021
 ---
 
 # Customize alert details in Microsoft Sentinel 
 
-[!INCLUDE [Banner for top of topics](./includes/banner.md)]
+This article explains how to override the default properties of alerts with content from the underlying query results.
 
-## Introduction
+In the process of creating a scheduled analytics rule, as the first step you define a name and description for the rule, and you assign it a severity and MITRE ATT&CK tactics. All alerts generated by a given rule - and all incidents created as a result - will inherit the name, description, severity, and tactics defined in the rule, without regard to the particular content of a specific instance of the alert.
 
-When you define a name and description for your scheduled analytics rules, and you assign them severities and MITRE ATT&CK tactics, all alerts generated by a particular rule - and all incidents created as a result - will be displayed with the same name, description, and so on, without regard to the particular content of a specific instance of the alert.
+With the **alert details** feature, you can override these and other default properties of alerts in two ways:
 
-With the **alert details** feature, you can tailor an alert's appearance to its content. Here you can select parameters in your alert that can be represented in the name or description of each instance of the alert, or that can contain the tactics and severity assigned to that instance of the alert. If the selected parameter has no value (or an invalid value in the case of tactics and severity), the alert details will revert to the defaults specified in the first page of the wizard.
+- Create custom, variable names and descriptions for your alerts. You can select fields in your alert's query output whose contents can be included in the name or description of each instance of the alert. If the selected field has no value in a given instance, the alert details for that instance will revert to the defaults specified in the first page of the wizard.
 
-The procedure detailed below is part of the analytics rule creation wizard. It's treated here independently to address the scenario of adding or changing alert details in an existing analytics rule.
+- Customize the severity, tactics, and other properties of a given instance of an alert (see the full list of properties below) with the values of any relevant fields from the query output. If the selected fields are empty or have values that don't match the field data type, the respective alert properties will revert to their defaults (for tactics and severity, those specified in the first page of the wizard).
+
+> [!IMPORTANT]
+> Some alert details' customizability (see those so indicated below) are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+
+Follow the procedure detailed below to use the alert details feature. These steps are part of the [analytics rule creation wizard](detect-threats-custom.md), but they're addressed here independently to address the scenario of adding or changing alert details in an existing analytics rule.
 
 ## How to customize alert details
 
 1. From the Microsoft Sentinel navigation menu, select **Analytics**.
 
-1. Select a scheduled query rule and click **Edit**. Or create a new rule by clicking **Create > Scheduled query rule** at the top of the screen.
+1. Select a scheduled query rule and select **Edit**. Or create a new rule by selecting **Create > Scheduled query rule** at the top of the screen.
 
-1. Click the **Set rule logic** tab.
+1. Select the **Set rule logic** tab.
 
 1. In the **Alert enrichment** section, expand **Alert details**.
 
     :::image type="content" source="media/customize-alert-details/alert-enrichment.png" alt-text="Customize alert details":::
 
-1. In the now-expanded **Alert details** section, add free text that includes parameters corresponding to the details you want to display in the alert:
+1. In the now-expanded **Alert details** section, add free text that includes properties corresponding to the details you want to display in the alert:
 
-    1. In the **Alert Name Format** field, enter the text you want to appear as the name of the alert (the alert text), and include, in double curly brackets, any parameters you want to be part of the alert text.
+    1. In the **Alert Name Format** field, enter the text you want to appear as the name of the alert (the alert text), and include, in double curly brackets, any query output fields you want to be part of the alert text.
 
-        Example: `Alert from {{ProviderName}}: {{AccountName}} failed to log on to computer {{ComputerName}}.`
+        Example: `Alert from {{ProviderName}}: {{AccountName}} failed to sign in to computer {{ComputerName}}.`
 
     1. Do the same with the **Alert Description Format** field.
 
         > [!NOTE]
         > You are currently limited to **three parameters each** in the **Alert Name Format** and **Alert Description Format** fields.
 
-    1. Use the **Tactic Column** and **Severity Column** fields only if your query results contain columns with this information in them. For each one, choose the column that contains the corresponding information.
-
-    If you change your mind, or if you made a mistake, you can remove an alert detail by clicking the trash can icon next to the **Tactic/Severity Column** fields or delete the free text from the **Alert Name/Description Format** fields.
-
-1. When you have finished customizing your alert details, continue to the next tab in the wizard. If you're editing an existing rule, click the **Review and create** tab. Once the rule validation is successful, click **Save**.
+    1. To override other default properties, select an alert property from the **Alert property** drop-down list. Then select the field from the query results, whose contents you want to populate the alert property, from the **Value** drop-down list.
+
+    1. To override more default properties, select **+ Add new** and repeat the previous step.
+
+        The following alert properties can be overridden:
+        - AlertName
+        - Description
+        - AlertSeverity
+        - Tactics
+        - Techniques (Preview)
+        - AlertLink (Preview)
+        - ConfidenceLevel (Preview)
+        - ConfidenceScore (Preview)
+        - ExtendedLinks (Preview)
+        - ProductComponentName (Preview)
+        - ProductName (Preview)
+        - ProviderName (Preview)
+        - RemediationSteps (Preview)
+    
+    If you change your mind, or if you made a mistake, you can remove an alert detail by clicking the trash can icon next to the **Alert property/Value** pair, or delete the free text from the **Alert Name/Description Format** fields.
+
+1. When you have finished customizing your alert details, if you're now creating the rule, continue to the next tab in the wizard. If you're editing an existing rule, select the **Review and create** tab. Once the rule validation is successful, select **Save**.
 
 ## Next steps
 

articles/sentinel/detect-threats-custom.md

@@ -10,14 +10,12 @@ ms.custom: ignite-fall-2021
 
 # Create custom analytics rules to detect threats
 
-[!INCLUDE [Banner for top of topics](./includes/banner.md)]
-
 After [connecting your data sources](quickstart-onboard.md) to Microsoft Sentinel, create custom analytics rules to help discover threats and anomalous behaviors in your environment.
 
 Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and remediation processes.
 
 > [!TIP]
-> When creating custom rules, use existing rules as templates or references. Using existing rules as a baseline helps by building out most of the logic before you make any changes needed.
+> When creating custom rules, use existing rules as templates or references. Using existing rules as a baseline helps by building out most of the logic before you make any needed changes.
 
 > [!div class="checklist"]
 > - Create analytics rules
@@ -94,7 +92,7 @@ In the **Set rule logic** tab, you can either write a query directly in the **Ru
 
     Learn more about surfacing custom details in alerts, and see the [complete instructions](surface-custom-details-in-alerts.md).
 
-- Use the **Alert details** configuration section to tailor the alert's presentation details to its actual content. Alert details allow you to display, for example, an attacker's IP address or account name in the title of the alert itself, so it will appear in your incidents queue, giving you a much richer and clearer picture of your threat landscape.
+- Use the **Alert details** configuration section to override default values of the alert's properties with details from the underlying query results. Alert details allow you to display, for example, an attacker's IP address or account name in the title of the alert itself, so it will appear in your incidents queue, giving you a much richer and clearer picture of your threat landscape.
 
     See complete instructions on [customizing your alert details](customize-alert-details.md).
 

articles/sentinel/media/create-tasks-playbook/add-task-get-entities.png

@@ -16,6 +16,18 @@ The listed features were released in the last three months. For information abou
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
+## December 2022
+
+- [Customize more alert properties (Preview)](#customize-more-alert-properties-preview)
+
+### Customize more alert properties (Preview)
+
+Alerts generated by a given analytics rule - and all incidents created as a result - inherit the name, description, severity, and tactics defined in the rule, without regard to the particular content of a specific instance of the alert.
+
+You've already been able to use the **alert details** feature to override these four default properties of alerts; now there are **nine more alert properties** that can be customized to override their defaults.
+
+See which ones, and learn how to use the updated mechanism, in [Customize alert details in Microsoft Sentinel](customize-alert-details.md).
+
 ## November 2022
 
 - [Use Incident tasks to manage incident workflow (Preview)](#use-incident-tasks-to-manage-incident-workflow-preview)