Merge pull request #268085 from batamig/alert-details-override

PMEds28 · web-flow · commit 378aaa32bd2c · 2024-03-14T10:21:46.000Z
Sentinel alert property details
diff --git a/articles/sentinel/customize-alert-details.md b/articles/sentinel/customize-alert-details.md
@@ -3,7 +3,7 @@ title: Customize alert details in Microsoft Sentinel | Microsoft Docs
 description: Customize how alerts are named and described, along with their severity and assigned tactics, based on the alerts' content.
 author: yelevin
 ms.topic: how-to
-ms.date: 11/23/2022
+ms.date: 03/05/2024
 ms.author: yelevin
 ---
 
@@ -50,22 +50,23 @@ Follow the procedure detailed below to use the alert details feature. These step
 
     1. To override other default properties, select an alert property from the **Alert property** drop-down list. Then select the field from the query results, whose contents you want to populate the alert property, from the **Value** drop-down list.
 
-    1. To override more default properties, select **+ Add new** and repeat the previous step.
-
-        The following alert properties can be overridden:
-        - AlertName
-        - Description
-        - AlertSeverity
-        - Tactics
-        - Techniques (Preview)
-        - AlertLink (Preview)
-        - ConfidenceLevel (Preview)
-        - ConfidenceScore (Preview)
-        - ExtendedLinks (Preview)
-        - ProductComponentName (Preview)
-        - ProductName (Preview)
-        - ProviderName (Preview)
-        - RemediationSteps (Preview)
+    1. To override more default properties, select **+ Add new** and repeat the previous step. The following properties can be overridden:
+
+        |Name  |Description  |
+        |---------|---------|
+        |**AlertName**     |    String     |
+        |**Description**     | String        |
+        |**AlertSeverity**     | One of the following values: <br>- **Informational**<br>- **Low**<br>- **Medium**<br>- **High**        |
+        |**Tactics**     |    One of the following values: <br>- **Reconnaissance**<br>- **ResourceDevelopment**<br>- **InitialAccess**<br>-         **Execution**<br>        - **Persistence**<br>-        **PrivilegeEscalation**<br>-        **DefenseEvasion**<br>-        **CredentialAccess** <br>- **Discovery**<br>        - **LateralMovement**<br>-        **Collection**<br>-        **Exfiltration**<br>-        **CommandAndControl**<br>-        **Impact**<br> - **PreAttack**<br>- **ImpairProcessControl**<br>- **InhibitResponseFunction**     |
+        |**Techniques** (Preview)     | A string that matches the following regular expression: `^T(?<Digits>\d{4})$`. <br>For example: **T1234**        |
+        |**AlertLink** (Preview)     |  String       |
+        |**ConfidenceLevel** (Preview)     | One of the following values: <br>-  **Low**<br>- **High**<br>- **Unknown**      |
+        |**ConfidenceScore** (Preview)     | Integer, between **0**-**1** (inclusive)     |
+        |**ExtendedLinks** (Preview)     |  String       |
+        |**ProductComponentName** (Preview)     |   String      |
+        |**ProductName** (Preview)     |   String      |
+        |**ProviderName** (Preview)     |   String      |
+        |**RemediationSteps** (Preview)     |    String     |
     
     If you change your mind, or if you made a mistake, you can remove an alert detail by clicking the trash can icon next to the **Alert property/Value** pair, or delete the free text from the **Alert Name/Description Format** fields.
 
