|
1 | 1 | --- |
2 | | -title: Schemas for the Microsoft Defender for Cloud alerts |
| 2 | +title: Alerts schema |
3 | 3 | description: This article describes the different schemas used by Microsoft Defender for Cloud for security alerts. |
4 | | -ms.topic: conceptual |
| 4 | +ms.topic: concept-article |
5 | 5 | ms.author: dacurwin |
6 | 6 | author: dcurwin |
7 | | -ms.date: 11/09/2021 |
| 7 | +ms.date: 03/25/2024 |
| 8 | +#customer intent: As a reader, I want to understand the different schemas used by Microsoft Defender for Cloud for security alerts so that I can effectively work with the alerts. |
8 | 9 | --- |
9 | 10 |
|
10 | | -# Security alerts schemas |
| 11 | +# Alerts schemas |
11 | 12 |
|
12 | | -If your subscription has Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads) enabled, you receive security alerts when Defender for Cloud detects threats to their resources. |
13 | 13 |
|
14 | | -You can view these security alerts in Microsoft Defender for Cloud's pages - [overview dashboard](overview-page.md), [alerts](managing-and-responding-alerts.md), [resource health pages](investigate-resource-health.md), or [workload protections dashboard](workload-protections-dashboard.md) - and through external tools such as: |
| 14 | +Defender for Cloud provides alerts that help you identify, understand, and respond to security threats. Alerts are generated when Defender for Cloud detects suspicious activity or a security-related issue in your environment. You can view these alerts in the Defender for Cloud portal, or you can export them to external tools for further analysis and response. |
| 15 | + |
| 16 | +You can review security alerts from the [overview dashboard](overview-page.md), [alerts](managing-and-responding-alerts.md) page, [resource health pages](investigate-resource-health.md), or [workload protections dashboard](workload-protections-dashboard.md). |
| 17 | + |
| 18 | +The following external tools can be used to consume alerts from Defender for Cloud: |
15 | 19 |
|
16 | 20 | - [Microsoft Sentinel](../sentinel/index.yml) - Microsoft's cloud-native SIEM. The Sentinel Connector gets alerts from Microsoft Defender for Cloud and sends them to the [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) for Microsoft Sentinel. |
17 | 21 | - Third-party SIEMs - Send data to [Azure Event Hubs](../event-hubs/index.yml). Then integrate your Event Hubs data with a third-party SIEM. Learn more in [Stream alerts to a SIEM, SOAR, or IT Service Management solution](export-to-siem.md). |
18 | 22 | - [The REST API](/rest/api/defenderforcloud/operation-groups?view=rest-defenderforcloud-2020-01-01&preserve-view=true) - If you're using the REST API to access alerts, see the [online Alerts API documentation](/rest/api/defenderforcloud/alerts). |
19 | 23 |
|
20 | | -If you're using any programmatic methods to consume the alerts, you need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hubs or trying to trigger Workflow Automation with generic HTTP connectors, use the schemas to properly parse the JSON objects. |
| 24 | +If you're using any programmatic methods to consume the alerts, you need the correct schema to find the fields that are relevant to you. Also, if you're exporting to an Event Hubs or trying to trigger Workflow Automation with generic HTTP connectors, schemas should be utilized to properly parse the JSON objects. |
21 | 25 |
|
22 | 26 | >[!IMPORTANT] |
23 | | -> The schema is slightly different for each of these scenarios, so make sure you select the relevant tab. |
| 27 | +> Since the schema is different for each of these scenarios, ensure you select the relevant tab. |
24 | 28 |
|
25 | 29 | ## The schemas |
26 | 30 |
|
@@ -148,13 +152,13 @@ The schema and a JSON representation for security alerts sent to MS Graph, are a |
148 | 152 |
|
149 | 153 | --- |
150 | 154 |
|
151 | | -## Next steps |
152 | | - |
153 | | -This article described the schemas that Microsoft Defenders for Cloud's threat protection tools use when sending security alert information. |
154 | | - |
155 | | -For more information on the ways to access security alerts from outside Defender for Cloud, see: |
| 155 | +## Related articles |
156 | 156 |
|
| 157 | +- [Log Analytics workspaces](../azure-monitor/logs/quick-create-workspace.md) - Azure Monitor stores log data in a Log Analytics workspace, a container that includes data and configuration information |
157 | 158 | - [Microsoft Sentinel](../sentinel/index.yml) - Microsoft's cloud-native SIEM |
158 | 159 | - [Azure Event Hubs](../event-hubs/index.yml) - Microsoft's fully managed, real-time data ingestion service |
159 | | -- [Continuously export Defender for Cloud data](continuous-export.md) |
160 | | -- [Log Analytics workspaces](../azure-monitor/logs/quick-create-workspace.md) - Azure Monitor stores log data in a Log Analytics workspace, a container that includes data and configuration information |
| 160 | + |
| 161 | +## Next step |
| 162 | + |
| 163 | +> [!div class="nextstepaction"] |
| 164 | +> [Continuously export Defender for Cloud data](continuous-export.md) |
0 commit comments