Sample alert for Microsoft Sentinel
Snapshot of the entity when an event occurs in Microsoft Sentinel.
The sample alert becomes available after you generate the webhook.
{
"$id": "1",
"Version": "3.0",
"VendorName": "Microsoft",
"ProviderName": "ASI Scheduled Alerts",
"ProductName": "Azure Sentinel",
"ProductComponentName": "Scheduled Alerts",
"AlertType": "4dc663f5-b613-4518-8a17-a56a17b31899_6d77d754-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"StartTimeUtc": "2022-04-06T04:26:44.572Z",
"EndTimeUtc": "2022-04-06T04:27:06.73Z",
"TimeGenerated": "2022-04-06T05:30:20.6891354Z",
"ProcessingEndTime": "2022-04-06T05:30:20.6891325Z",
"Status": "New",
"Severity": "Informational",
"IsIncident": false,
"ProviderAlertId": "ea8b0bd6-c205-xxxx-xxxx-xxxxxxxxxxxx",
"SystemAlertId": "77dfe82c-7d04-xxxx-xxxx-xxxxxxxxxxxx",
"CorrelationKey": null,
"Intent": "Unknown",
"ResourceIdentifiers": [
{
"$id": "2",
"WorkspaceId": "4dc663f5-b613-xxxx-xxxx-xxxxxxxxxxxx",
"WorkspaceSubscriptionId": "70b49f2f-13aa-xxxx-xxxx-xxxxxxxxxxxx",
"WorkspaceResourceGroup": "itxlab",
"Type": "LogAnalytics"
}
],
"WorkspaceId": "4dc663f5-b613-xxxx-xxxx-xxxxxxxxxxxx",
"WorkspaceSubscriptionId": "70b49f2f-13aa-xxxx-xxxx-xxxxxxxxxxxx",
"WorkspaceResourceGroup": "itxlab",
"AlertDisplayName": "Alert Details from AzureActivity",
"Description": "Alert Details from AzureActivity Desc",
"ExtendedProperties": {
"Query Period": "01:00:00",
"Trigger Operator": "GreaterThan",
"Trigger Threshold": "0",
"Correlation Id": "4dc663f5-b613--xxxx-xxxx-xxxxxxxxxxxx_6d77d754-7073--xxxx-xxxx-xxxxxxxxxxxx_63784819817838xxxx",
"Search Query Results Overall Count": "50",
"Data Sources": "[\"itxlabwentinelworkspace\"]",
"Query": "// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert.\nset query_now = datetime(2022-04-06T05:25:17.8383213Z);\n AzureActivity \n| limit 50",
"Query Start Time UTC": "2022-04-06 04:25:17Z",
"Query End Time UTC": "2022-04-06 05:25:17Z",
"Analytic Rule Ids": "[\"6d77d754-7073-494a-xxxx-xxxx-xxxxxxxxxxxx\"]",
"Event Grouping": "SingleAlert",
"Analytic Rule Name": "Azure Activity Rule",
"ProcessedBySentinel": "True",
"Alert generation status": "Full alert created"
},
"Metadata": {
"WorkspaceRegion": "eastus",
"SourceTags.SourceEnv": "PROD",
"TriggeringRuleNames": "[\"6d77d754-7073-494a-xxxx-xxxx-xxxxxxxxxxxx\"]",
"SentinelWorkspaceRegion": "eastus",
"SentinelWorkspaceGeography": "unitedstates"
},
"Entities": [
{
"$id": "3",
"Address": "199.91.xxx.xx",
"Type": "ip"
},
{
"$id": "4",
"Address": "149.96.x.xx",
"Type": "ip"
}
]
}