Microsoft Defender for Cloud Alert

Microsoft Defender for Cloud is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   US Department of Defense (DoD)
Contact
Name Microsoft
URL Microsoft LogicApps Support
Connector Metadata
Publisher Microsoft
learn more> https://docs.microsoft.com/connectors/ascalert
Website https://azure.microsoft.com/services/security-center/

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Triggers

When a Microsoft Defender for Cloud alert is created or triggered

Triggers when an alert is created in Microsoft Defender for Cloud and matches the evaluation criteria configured in an automation, or when manually run on a specific alert. Note: automated running of this trigger requires enabling automation in Microsoft Defender for Cloud and enabling a workload protection plan as a preliminary step. To do so, visit Microsoft Defender for Cloud.

When a Microsoft Defender for Cloud alert is created or triggered

Triggers when an alert is created in Microsoft Defender for Cloud and matches the evaluation criteria configured in an automation, or when manually run on a specific alert. Note: automated running of this trigger requires enabling automation in Microsoft Defender for Cloud and enabling a workload protection plan as a preliminary step. To do so, visit Microsoft Defender for Cloud.

Returns

Name Path Type Description
Alert Uri
AlertUri string

A direct link to view the alert with all its details in Microsoft Defender for Cloud in the Azure portal.

Alert Display Name
AlertDisplayName string

The display name of the alert, this value is displayed to users either as-is or with additional parameters. (for examples for place holders formatting see in Notes Section). It is advised not to put place holders in the AlertDisplayName field and have the same value for all alerts sharing the same AlertType value, since alerts can be aggregated according to the AlertType field and shown to end users as such.

Alert Type
AlertType string

The type name of the alert. Alerts of the same type should have the same name. This field is a keyed string representing the category or type of the alert and not of an alert instance. All alert instances from the same detection logic/analytic should share the same value for alert type.

Compromised Entity
CompromisedEntity string

Display name of the main entity being reported on. This field is presented to the user AS-IS and is not required to conform to any format. It could hold computer, ip addresses, VMs or anything that the alert provider decides to present.

Description
Description string

Alert description, might have parameters placeholders (for examples for place holders formatting see in Notes Section)

End Time (UTC)
EndTimeUtc date-time

The impact end time of the alert (the time of the last event contributing to the alert).

Intent
Intent string

Optional field that specify the kill chain related intent behind the alert. For list of supported values is in the section Kill Chain Intent enumeration. Multiple values can be selected in this field. The JSON format for this field should serialize the enumeration values as strings. Multiple values should be separated by comma, e.g. Probing, Exploitation.

Product Name
ProductName string

The name of the product which published this alert, i.e. ASC, WDATP, MCAS.

Severity
Severity string

The severity of the alert as it is reported by the provider. Possible Values: Informational (a.k.a Silent), Low, Medium, High

Start Time (UTC)
StartTimeUtc date-time

The impact start time of the alert (the time of the first event contributing to the alert).

System Alert Id
SystemAlertId string

Holds the product identifier of the alert for the product. This is the alert identifier which is usually also available externally to query alerts by customers or external systems. Alert publisher which are internal to a product should use the ProviderAlertId field in order to report any identifier to be used in a scope of a single product.

Time Generated (UTC)
TimeGenerated date-time

The time the alert was generated. This time should contain the time it was generated by the alert provider, if missing the system will assign to it the time it was received for processing.

Vendor Name
VendorName string

The name of the vendor that raise the alert, this value is displayed to users as is, i.e. Microsoft or Deep Security Agent or Microsoft Antimalware etc.

Entities
Entities array of object

A list of entities related to the alert. This list can hold a mixture of entities of diverse types. The entities type can be any of the types defined in the Entitiessection. Entities which are not in the list below can also be send, however we dont guarantee that they will be processed (however the alert will not fail validation). Cannot be set to null (will be set to empty enumerable instead).

Extended Links
ExtendedLinks array of object

A bag for all links related to the alert. This bag can hold a mixture of links for diverse types. Links which are not in the list below can also be send, however we dont guarantee that they will be processed (however the alert will not fail validation). Cannot be set to null (will be set to empty enumerable instead)

Remediation Steps
RemediationSteps array of string

Manual action items to take to remediate the alert. Might have parameters placeholders. (for examples for place holders formatting see in Notes Section).

Resource Identifiers
ResourceIdentifiers array of object

The resource identifiers for this alert which can be used to direct the alert to the right product exposure group (workspace, subscription etc.). There can be multiple identifiers of different type per alert. See Resource Identifiers for more details.