Merge pull request #101929 from memildin/asc-melvyn-alertsschema

First draft of the schema page

Author: v-albemi

articles/security-center/TOC.yml

@@ -66,6 +66,8 @@
       href: security-center-alerts-overview.md      
     - name: Reference list of alerts
       href: alerts-reference.md
+    - name: Alerts schemas
+      href: alerts-schemas.md
     - name: Manage security alerts
       href: security-center-managing-and-responding-alerts.md
     - name: Manage security incidents

articles/security-center/alerts-schemas.md

@@ -0,0 +1,193 @@
+---
+title: Schemas for the Azure Security Center alerts
+description: This article describes the different schemas used by Azure Security Center for security alerts.
+services: security-center
+documentationcenter: na
+author: memildin
+manager: rkarlin
+ms.service: security-center
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 03/10/2020
+ms.author: memildin
+
+---
+
+# Security alerts schemas
+
+Azure Security Center's advanced threat protection mechanisms generate security alerts when they detect threats to your resources.
+
+These alerts are only available to users of the standard tier.  
+
+Security alerts can be seen in Azure Security Center's Threat Protection pages. They can also be accessed from:
+
+- [Azure Sentinel](https://docs.microsoft.com/azure/sentinel/)
+
+- [Azure Event Hubs](https://docs.microsoft.com/azure/event-hubs/) using Security Center's [continuous export feature](continuous-export.md) for integrations with third-party SIEMs
+
+- [The REST API](https://docs.microsoft.com/rest/api/securitycenter/) - If you're using the REST API to access alerts, see the [online Alerts API documentation](https://docs.microsoft.com/rest/api/securitycenter/alerts)
+
+- [Log Analytics workspaces](https://docs.microsoft.com/azure/azure-monitor/learn/quick-create-workspace)
+
+If you're using any programmatic methods to consume the alerts, you'll need the correct schema to find the fields that are relevant to you. In addition, when exporting to an Event Hub or when triggering Workflow Automation with generic HTTP connectors, you could use the schemas to properly parse the JSON objects.
+
+>[!IMPORTANT]
+> The schema is slightly different for each of these scenarios, so make sure you select the relevant tab below.
+
+
+## The schemas 
+
+
+### [Workflow automation and continuous export to Event Hub](#tab/schema-continuousexport)
+
+### Sample JSON for alerts sent to Logic Apps, Event Hub, and third-party SIEMs
+
+This is the schema of the alert events passed to:
+
+- Azure Logic App instances that were configured in Security Center's workflow automation
+- Azure Event Hub using Security Center's continuous export feature
+
+For more information about the workflow automation feature see [Automate responses to alerts and recommendations](workflow-automation.md).
+For more information about continuous export, see [Export alerts and recommendations](continuous-export.md).
+
+[!INCLUDE [Workflow schema](../../includes/security-center-alerts-schema-workflow-automation.md)]
+
+
+
+
+### [Azure Sentinel and Log Analytics workspaces](#tab/schema-sentinel)
+
+The Sentinel Connector gets alerts from Azure Security Center and sends them to the Log Analytics Workspace for Azure Sentinel. 
+
+To create a Sentinel case or incident using Security Center alerts, you'll need the schema for those alerts shown below. 
+
+For more information about Azure Sentinel, see [the documentation](https://docs.microsoft.com/azure/sentinel/).
+
+[!INCLUDE [Sentinel and workspace schema](../../includes/security-center-alerts-schema-log-analytics-workspace.md)]
+
+
+
+
+### [Azure Activity Log](#tab/schema-activitylog)
+
+Azure Security Center audits generated Security alerts as events in Azure Activity Log.
+
+You can view the security alerts events in Activity Log by searching for the Activate Alert event as shown:
+
+[![Searching the Activity log for the Activate Alert event](media/alerts-schemas/sample-activity-log-alert.png)](media/alerts-schemas/sample-activity-log-alert.png#lightbox)
+
+
+### Sample JSON for alerts sent to Azure Activity Log
+
+```json
+{
+    "channels": "Operation",
+    "correlationId": "2518250008431989649_e7313e05-edf4-466d-adfd-35974921aeff",
+    "description": "PREVIEW - Role binding to the cluster-admin role detected. Kubernetes audit log analysis detected a new binding to the cluster-admin role which gives administrator privileges.\r\nUnnecessary administrator privileges might cause privilege escalation in the cluster.",
+    "eventDataId": "2518250008431989649_e7313e05-edf4-466d-adfd-35974921aeff",
+    "eventName": {
+        "value": "PREVIEW - Role binding to the cluster-admin role detected",
+        "localizedValue": "PREVIEW - Role binding to the cluster-admin role detected"
+    },
+    "category": {
+        "value": "Security",
+        "localizedValue": "Security"
+    },
+    "eventTimestamp": "2019-12-25T18:52:36.801035Z",
+    "id": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.Security/locations/centralus/alerts/2518250008431989649_e7313e05-edf4-466d-adfd-35974921aeff/events/2518250008431989649_e7313e05-edf4-466d-adfd-35974921aeff/ticks/637128967568010350",
+    "level": "Informational",
+    "operationId": "2518250008431989649_e7313e05-edf4-466d-adfd-35974921aeff",
+    "operationName": {
+        "value": "Microsoft.Security/locations/alerts/activate/action",
+        "localizedValue": "Activate Alert"
+    },
+    "resourceGroupName": "RESOURCE_GROUP_NAME",
+    "resourceProviderName": {
+        "value": "Microsoft.Security",
+        "localizedValue": "Microsoft.Security"
+    },
+    "resourceType": {
+        "value": "Microsoft.Security/locations/alerts",
+        "localizedValue": "Microsoft.Security/locations/alerts"
+    },
+    "resourceId": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.Security/locations/centralus/alerts/2518250008431989649_e7313e05-edf4-466d-adfd-35974921aeff",
+    "status": {
+        "value": "Active",
+        "localizedValue": "Active"
+    },
+    "subStatus": {
+        "value": "",
+        "localizedValue": ""
+    },
+    "submissionTimestamp": "2019-12-25T19:14:03.5507487Z",
+    "subscriptionId": "SUBSCRIPTION_ID",
+    "properties": {
+        "clusterRoleBindingName": "cluster-admin-binding",
+        "subjectName": "for-binding-test",
+        "subjectKind": "ServiceAccount",
+        "username": "masterclient",
+        "actionTaken": "Detected",
+        "resourceType": "Kubernetes Service",
+        "severity": "Low",
+        "intent": "[\"Persistence\"]",
+        "compromisedEntity": "ASC-IGNITE-DEMO",
+        "remediationSteps": "[\"Review the user in the alert details. If cluster-admin is unnecessary for this user, consider granting lower privileges to the user.\"]",
+        "attackedResourceType": "Kubernetes Service"
+    },
+    "relatedEvents": []
+}
+```
+
+### The data model of the schema
+
+|Field|Description|
+|----|----|
+|**channels**|Constant, "Operation"|
+|**correlationId**|The Azure Security Center alert ID|
+|**description**|Description of the alert|
+|**eventDataId**|See correlationId|
+|**eventName**|The value and localizedValue sub-fields contain the alert display name|
+|**category**|The value and localizedValue sub-fields are constant - "Security"|
+|**eventTimestamp**|UTC timestamp for when the alert was generated|
+|**id**|The fully qualified alert ID|
+|**level**|Constant, "Informational"|
+|**operationId**|See correlationId|
+|**operationName**|The value field is constant - "Microsoft.Security/locations/alerts/activate/action", and the localized value will be "Activate Alert" (can potentially be localized par the user locale)|
+|**resourceGroupName**|Will include the resource group name|
+|**resourceProviderName**|The value and localizedValue sub-fields are constant - "Microsoft.Security"|
+|**resourceType**|The value and localizedValue sub-fields are constant - "Microsoft.Security/locations/alerts"|
+|**resourceId**|The fully qualified Azure resource ID|
+|**status**|The value and localizedValue sub-fields are constant - "Active"|
+|**subStatus**|The value and localizedValue sub-fields are empty|
+|**submissionTimestamp**|The UTC timestamp of event submission to Activity Log|
+|**subscriptionId**|The subscription ID of the compromised resource|
+|**properties**|A JSON bag of additional properties pertaining to the alert. These can change from one alert to the other, however, the following fields will appear in all alerts:<br>- severity: The severity of the attack<br>- compromisedEntity: The name of the compromised resource<br>- remediationSteps: Array of remediation steps to be taken<br>- intent: The kill-chain intent of the alert. Possible intents are documented in the [Intentions table](alerts-reference.md#intentions)|
+|**relatedEvents**|Constant - empty array|
+|||
+
+
+
+
+
+### [MS Graph API](#tab/schema-graphapi)
+
+Microsoft Graph is the gateway to data and intelligence in Microsoft 365. It provides a unified programmability model that you can use to access the tremendous amount of data in Office 365, Windows 10, and Enterprise Mobility + Security. Use the wealth of data in Microsoft Graph to build apps for organizations and consumers that interact with millions of users.
+
+The schema and a JSON representation for security alerts sent to MS Graph, are available in [the Microsoft Graph documentation](https://docs.microsoft.com/graph/api/resources/alert?view=graph-rest-1.0).
+
+---
+
+
+## Next steps
+
+This article described the schemas that Azure Security Center's threat protection tools use when sending security alert information.
+
+For more information on the ways to access security alerts from outside Security Center, see the following:
+
+- [Azure Sentinel](https://docs.microsoft.com/azure/sentinel/) - Microsoft's cloud-native SIEM
+- [Azure Event Hubs](https://docs.microsoft.com/azure/event-hubs/) - Microsoft's fully managed, real-time data ingestion service
+- Security Center's [continuous export feature](continuous-export.md)
+
+- [Log Analytics workspaces](https://docs.microsoft.com/azure/azure-monitor/learn/quick-create-workspace) - Azure Monitor stores log data in a Log Analytics workspace, a container that includes data and configuration information

articles/security-center/media/alerts-schemas/sample-activity-log-alert.png

@@ -18,11 +18,11 @@ When Security Center detects a threat in any area of your environment, it genera
 
 Azure Security Center's threat protection provides comprehensive defenses for your environment:
 
-* **Threat protection for compute resources**: Windows machines, Linux machines, Azure App Service, and Azure containers
+* **Threat protection for Azure compute resources**: Windows machines, Linux machines, Azure App Service, and Azure containers
 
-* **Threat protection for data resources**: SQL Database and SQL Data Warehouse, Azure Storage, and Azure Cosmos DB
+* **Threat protection for Azure data resources**: SQL Database and SQL Data Warehouse, Azure Storage, and Azure Cosmos DB
 
-* **Threat protection for the service layer**: Azure network layer, Azure management layer (Azure Resource Manager) (Preview), and Azure Key Vault (Preview)
+* **Threat protection for Azure service layers**: Azure network layer, Azure management layer (Azure Resource Manager) (Preview), and Azure Key Vault (Preview)
 
 Whether an alert is generated by Security Center, or received by Security Center from a different security product, you can export it. To export your alerts to Azure Sentinel (or a third-party SIEM) or any other external tool, follow the instructions in [Exporting alerts to a SIEM](continuous-export.md). 
 

articles/security-center/threat-protection.md

@@ -0,0 +1,45 @@
+---
+title: include file
+description: include file
+services: data-factory
+author: memildin
+ms.service: data-factory
+ms.topic: include
+ms.date: 03/17/2020
+ms.author: memildin
+ms.custom: include file
+---
+### The data model of the schema
+
+|Field|Description|
+|----|----|
+|**AlertName**|Alert display name|
+|**AlertType**|unique alert identifier|
+|**ConfidenceLevel**|(Optional) The confidence level of this alert (High/Low)|
+|**ConfidenceScore**|(Optional) Numeric confidence indicator of the security alert|
+|**Description**|Description text for the alert|
+|**DisplayName**|The alert's display name|
+|**EndTime**|The impact end time of the alert (the time of the last event contributing to the alert)|
+|**Entities**|A list of entities related to the alert. This list can hold a mixture of entities of diverse types|
+|**ExtendedLinks**|(Optional) A bag for all links related to the alert. This bag can hold a mixture of links for diverse types|
+|**ExtendedProperties**|A bag of additional fields which are relevant to the alert|
+|**IsIncident**|Determines if the alert is an incident or a regular alert. An incident is a security alert that aggregates multiple alerts into one security incident|
+|**ProcessingEndTime**|UTC timestamp in which the alert was created|
+|**ProductComponentName**|(Optional) The name of a component inside the product which generated the alert.|
+|**ProductName**|constant ('Azure Security Center')|
+|**ProviderName**|unused|
+|**RemediationSteps**|Manual action items to take to remediate the security threat|
+|**ResourceId**|Full identifier of the affected resource|
+|**Severity**|The alert severity (High/Medium/Low/Informational)|
+|**SourceComputerId**|a unique GUID for the affected server (if the alert is generated on the server)|
+|**SourceSystem**|unused|
+|**StartTime**|The impact start time of the alert (the time of the first event contributing to the alert)|
+|**SystemAlertId**|Unique identifier of this security alert instance|
+|**TenantId**|the identifier of the parent Azure Active directory tenant of the subscription under which the scanned resource resides|
+|**TimeGenerated**|UTC timestamp on which the assessment took place (Security Center's scan time) (identical to DiscoveredTimeUTC)|
+|**Type**|constant ('SecurityAlert')|
+|**VendorName**|The name of the vendor that provided the alert (e.g. 'Microsoft')|
+|**VendorOriginalId**|unused|
+|**WorkspaceResourceGroup**|in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace resource group name|
+|**WorkspaceSubscriptionId**|in case the alert is generated on a VM, Server, Virtual Machine Scale Set or App Service instance that reports to a workspace, contains that workspace subscriptionId|
+|||

includes/security-center-alerts-schema-log-analytics-workspace.md

@@ -0,0 +1,77 @@
+---
+title: include file
+description: include file
+services: data-factory
+author: memildin
+ms.service: data-factory
+ms.topic: include
+ms.date: 03/10/2020
+ms.author: memildin
+ms.custom: include file
+---
+
+```json
+{
+  "VendorName": "Microsoft",
+  "AlertType": "SUSPECT_SVCHOST",
+  "StartTimeUtc": "2016-12-20T13:38:00.000Z",
+  "EndTimeUtc": "2019-12-20T13:40:01.733Z",
+  "ProcessingEndTime": "2019-09-16T12:10:19.5673533Z",
+  "TimeGenerated": "2016-12-20T13:38:03.000Z",
+  "IsIncident": false,
+  "Severity": "High",
+  "Status": "New",
+  "ProductName": "Azure Security Center",
+  "SystemAlertId": "2342409243234234_F2BFED55-5997-4FEA-95BD-BB7C6DDCD061",
+  "CompromisedEntity": "WebSrv1",
+  "Intent": "Execution",
+  "AlertDisplayName": "Suspicious process detected",
+  "Description": "Suspicious process named 'SVCHOST.EXE' was running from path: %{Process Path}",
+  "RemediationSteps": ["contact your security information team"],
+  "ExtendedProperties": {
+    "Process Path": "c:\\temp\\svchost.exe",
+    "Account": "Contoso\\administrator",
+    "PID": 944,
+    "ActionTaken": "Detected"
+  },
+  "Entities": [],
+  "ResourceIdentifiers": [
+        {
+            Type: "AzureResource",
+            AzureResourceId: "/subscriptions/86057C9F-3CDD-484E-83B1-7BF1C17A9FF8/resourceGroups/backend-srv/providers/Microsoft.Compute/WebSrv1"
+        },
+        {
+            Type: "LogAnalytics",
+            WorkspaceId: "077BA6B7-8759-4F41-9F97-017EB7D3E0A8",
+            WorkspaceSubscriptionId: "86057C9F-3CDD-484E-83B1-7BF1C17A9FF8",
+            WorkspaceResourceGroup: "omsrg",
+            AgentId: "5A651129-98E6-4E6C-B2CE-AB89BD815616",
+        }
+  ]
+}
+```
+
+### The data model of the schema
+
+|Field|Data type|Description|
+|----|----|----|
+|**AlertDisplayName**|String|The display name of the alert.|
+|**AlertType**|String|The type of alert. Alerts of the same type should have the same value. This field is a keyed string representing the type of alert and not of an alert instance. All alert instances from the same detection logic/analytic should have the same value for alert type.|
+|**CompromisedEntity**|String|The display name of the resource most related to this alert.|
+|**Description**|String|Description of the alert.|
+|**EndTimeUtc**|DateTime|The time of the last event or activity included in the alert.  The field should be a string that conforms to the ISO8601 format, including UTC timezone information.|
+|**Entities**|IEnumerable (IEntity)|A list of entities related to the alert. This list can hold a mixture of entities of diverse types. The entities type can be any of the types defined in the Entities section. Entities that are not in the list below can also be sent, however it is not guaranteed that they will be processed (the alert will not fail validation with new types of entities).|
+|**ExtendedProperties**|Dictionary (String,String)|Providers might (optionally) include custom fields here.|
+|**Intent**|Enum|The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents, see [Intentions](/articles/security-center/alerts-reference.md#intentions).<br/>This field might have multiple values (separated by comma).|
+|**IsIncident**|Bool|This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert. Default value for the field is 'false' (meaning it's a single alert).|
+|**ProcessingEndTime**|DateTime|The time the alert was accessible to the end user in the original product holding the alert.|
+|**ProductName**|String|The name of the product that published this alert (Azure Security Center, Azure ATP, Microsoft Defender ATP, O365 ATP, MCAS, and so on).|
+|**RemediationSteps**|List<String>|Manual action items to take to remediate the alert.|
+|**ResourceIdentifiers**|List (Resource Identifiers)|The resource identifiers for this alert that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert.|
+|**Severity**|Enum|The severity of the alert as reported by the provider. Possible Values: Informational, Low, Medium, and High.|
+|**StartTimeUtc**|DateTime|The time of the first event or activity included in the alert. The field should be a string that conforms to the ISO8601 format, including UTC timezone information.|
+|**Status**|Enum|The life-cycle status of the alert.<br/>Supported statuses are: New, Resolved, Dismissed, Unknown.<br/>An alert that specifies a value other than the supported options is assigned the status 'Unknown'.<br/>An alert that doesn't specify a value is assigned the status 'New'.|
+|**SystemAlertId**|String|The alert identifier.|
+|**TimeGenerated**|DateTime|The time the alert was generated by the alert provider. If not reported by internal alert providers, a product can choose to assign the time it was received for processing by the product.  The field should be a string that conforms to the ISO8601 format, including UTC timezone information.|
+|**VendorName**|String|The name of the vendor that raises the alert.|
+|||