You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/security-alert-schema.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,7 +41,7 @@ Because alerts come from many sources, not all fields are used by all providers.
41
41
|**EndTime**| datetime | The end time of the impact of the alert. <ul><li>**Scheduled rule alerts:** the value of the *TimeGenerated* field for the last *event* captured by the query.<li>**Ingested alerts:** the time of the last event or activity included in the alert. |
42
42
|**Entities**| string | A list of the entities identified in the alert. This list can include a combination of entities of different types. The entities' types can be any of those defined in the schema, as described in the [entities documentation](entities-reference.md). |
43
43
|**ExtendedLinks**| string | A bag (a collection) for all links related to the alert. This bag can include a combination of links of different types. |
44
-
|**ExtendedProperties**| string | A collection of other properties of the alert, including user-defined properties. Any [custom details](surface-custom-details-in-alerts.md) defined in the alert, and any dynamic content in the [alert details](customize-alert-details.md), are stored here. ||
44
+
|**ExtendedProperties**| string | A collection of other properties of the alert, including user-defined properties. Any [custom details](surface-custom-details-in-alerts.md) defined in the alert, and any dynamic content in the [alert details](customize-alert-details.md), are stored here. |
45
45
|**IsIncident**| boolean | DEPRECATED. Always set to *false*. |
46
46
|**ProcessingEndTime**| datetime | The time of the alert's publishing. <ul><li>**Scheduled rule alerts:** the value of the *TimeGenerated* field.<li>**Ingested alerts:** the time that the originating product completes the production of the alert. |
47
47
|**ProductComponentName**| string | The name of the component of the product that generated the alert. |
@@ -57,7 +57,7 @@ Because alerts come from many sources, not all fields are used by all providers.
57
57
|**Tactics**| string | A comma-delineated list of MITRE ATT&CK tactics associated with the alert. |
58
58
|**Techniques**| string | A comma-delineated list of MITRE ATT&CK techniques associated with the alert. |
59
59
|**TenantId**| string | The unique ID of the tenant. |
60
-
|**TimeGenerated**| datetime | The time the alert was generated (in UTC). | Also for ingested alerts? Or is it the ingestion time for those? |
60
+
|**TimeGenerated**| datetime | The time the alert was generated (in UTC). |
61
61
|**Type**| string | The constant ('SecurityAlert') |
62
62
|**VendorName**| string | The vendor of the product that produced the alert. |
63
63
|**VendorOriginalId**| string | Unique ID for the specific alert instance, set by the originating product. |
0 commit comments