You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/customize-alert-details.md
+8-7Lines changed: 8 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Customize alert details in Microsoft Sentinel | Microsoft Docs
3
3
description: Customize how alerts are named and described, along with their severity and assigned tactics, based on the alerts' content.
4
4
author: yelevin
5
5
ms.topic: how-to
6
-
ms.date: 11/09/2021
6
+
ms.date: 04/26/2022
7
7
ms.author: yelevin
8
8
ms.custom: ignite-fall-2021
9
9
---
@@ -12,10 +12,6 @@ ms.custom: ignite-fall-2021
12
12
13
13
[!INCLUDE [Banner for top of topics](./includes/banner.md)]
14
14
15
-
> [!IMPORTANT]
16
-
>
17
-
> - The alert details feature is in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
18
-
19
15
## Introduction
20
16
21
17
When you define a name and description for your scheduled analytics rules, and you assign them severities and MITRE ATT&CK tactics, all alerts generated by a particular rule - and all incidents created as a result - will be displayed with the same name, description, and so on, without regard to the particular content of a specific instance of the alert.
@@ -40,17 +36,22 @@ The procedure detailed below is part of the analytics rule creation wizard. It's
40
36
41
37
1. In the **Alert Name Format** field, enter the text you want to appear as the name of the alert (the alert text), and include, in double curly brackets, any parameters you want to be part of the alert text.
42
38
43
-
Example: `Alert from {{ProviderName}}: {{AccountName}} failed to log on to computer {{ComputerName}} with IP address {{IPAddress}}.`
39
+
Example: `Alert from {{ProviderName}}: {{AccountName}} failed to log on to computer {{ComputerName}}.`
44
40
45
41
1. Do the same with the **Alert Description Format** field.
46
-
42
+
43
+
> [!NOTE]
44
+
> You are currently limited to **three parameters each** in the **Alert Name Format** and **Alert Description Format** fields.
45
+
47
46
1. Use the **Tactic Column** and **Severity Column** fields only if your query results contain columns with this information in them. For each one, choose the column that contains the corresponding information.
48
47
49
48
If you change your mind, or if you made a mistake, you can remove an alert detail by clicking the trash can icon next to the **Tactic/Severity Column** fields or delete the free text from the **Alert Name/Description Format** fields.
50
49
51
50
1. When you have finished customizing your alert details, continue to the next tab in the wizard. If you're editing an existing rule, click the **Review and create** tab. Once the rule validation is successful, click **Save**.
52
51
53
52
## Next steps
53
+
54
54
In this document, you learned how to customize alert details in Microsoft Sentinel analytics rules. To learn more about Microsoft Sentinel, see the following articles:
55
+
55
56
- Get the complete picture on [scheduled query analytics rules](detect-threats-custom.md).
56
57
- Learn more about [entities in Microsoft Sentinel](entities.md).
0 commit comments