Security

Security Overview

This category contains the record any alerts generated by Microsoft Defender for Cloud.

Schema

Element Name

Description

channels

Always “Operation”

correlationId

A GUID in the string format.

description

Static text description of the security event.

eventDataId

Unique identifier of the security event.

eventName

Friendly name of the security event.

category

Always "Security"

Unique resource identifier of the security event.

level

Severity level of the event.

resourceGroupName

Name of the resource group for the resource.

resourceProviderName

Name of the resource provider for Microsoft Defender for Cloud. Always "Microsoft.Security".

resourceType

The type of resource that generated the security event, such as "Microsoft.Security/locations/alerts"

resourceId

Resource ID of the security alert.

operationId

A GUID shared among the events that correspond to a single operation.

operationName

Name of the operation.

properties

Set of <Key, Value> pairs (that is, a Dictionary) describing the details of the event. These properties vary depending on the type of security alert. See this page for a description of the types of alerts that come from Defender for Cloud.

properties.Severity

The severity level. Possible values are "High," "Medium," or "Low."

status

String describing the status of the operation. Some common values are: Started, In Progress, Succeeded, Failed, Active, Resolved.

subStatus

Usually null for security events.

eventTimestamp

Timestamp when the event was generated by the Azure service processing the request corresponding the event.

submissionTimestamp

Timestamp when the event became available for querying.

subscriptionId

Azure Subscription ID.

Last updated 5 months ago