Interface Alert

The display name of the alert. NOTE: This property will not be serialized. It can only be populated by the server.

Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType). NOTE: This property will not be serialized. It can only be populated by the server.

A direct link to the alert page in Azure Portal. NOTE: This property will not be serialized. It can only be populated by the server.

The display name of the resource most related to this alert. NOTE: This property will not be serialized. It can only be populated by the server.

Key for corelating related alerts. Alerts with the same correlation key considered to be related. NOTE: This property will not be serialized. It can only be populated by the server.

Description of the suspicious activity that was detected. NOTE: This property will not be serialized. It can only be populated by the server.

The UTC time of the last event or activity included in the alert in ISO8601 format. NOTE: This property will not be serialized. It can only be populated by the server.

A list of entities related to the alert. NOTE: This property will not be serialized. It can only be populated by the server.

Links related to the alert NOTE: This property will not be serialized. It can only be populated by the server.

Custom properties for the alert.

The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents. NOTE: This property will not be serialized. It can only be populated by the server.

This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert. NOTE: This property will not be serialized. It can only be populated by the server.

The UTC processing end time of the alert in ISO8601 format. NOTE: This property will not be serialized. It can only be populated by the server.

The name of Azure Security Center pricing tier which powering this alert. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing NOTE: This property will not be serialized. It can only be populated by the server.

The name of the product which published this alert (Azure Security Center, Azure ATP, Microsoft Defender ATP, O365 ATP, MCAS, and so on). NOTE: This property will not be serialized. It can only be populated by the server.

Manual action items to take to remediate the alert. NOTE: This property will not be serialized. It can only be populated by the server.

The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert. NOTE: This property will not be serialized. It can only be populated by the server.

The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified. NOTE: This property will not be serialized. It can only be populated by the server.

The UTC time of the first event or activity included in the alert in ISO8601 format. NOTE: This property will not be serialized. It can only be populated by the server.

The life cycle status of the alert. NOTE: This property will not be serialized. It can only be populated by the server.

Kill chain related sub-techniques behind the alert. NOTE: This property will not be serialized. It can only be populated by the server.

Changing set of properties depending on the supportingEvidence type.

Unique identifier for the alert. NOTE: This property will not be serialized. It can only be populated by the server.

kill chain related techniques behind the alert. NOTE: This property will not be serialized. It can only be populated by the server.

The UTC time the alert was generated in ISO8601 format. NOTE: This property will not be serialized. It can only be populated by the server.

The name of the vendor that raises the alert. NOTE: This property will not be serialized. It can only be populated by the server.

Schema version. NOTE: This property will not be serialized. It can only be populated by the server.