Security

Security Overview

This category contains the record any alerts generated by Microsoft Defender for Cloud.

Schema

Element Name Description

Element Name	Description
channels	Always “Operation”
correlationId	A GUID in the string format.
description	Static text description of the security event.
eventDataId	Unique identifier of the security event.
eventName	Friendly name of the security event.
category	Always "Security"
ID	Unique resource identifier of the security event.
level	Severity level of the event.
resourceGroupName	Name of the resource group for the resource.
resourceProviderName	Name of the resource provider for Microsoft Defender for Cloud. Always "Microsoft.Security".
resourceType	The type of resource that generated the security event, such as "Microsoft.Security/locations/alerts"
resourceId	Resource ID of the security alert.
operationId	A GUID shared among the events that correspond to a single operation.
operationName	Name of the operation.
properties	Set of `<Key, Value>` pairs (that is, a Dictionary) describing the details of the event. These properties vary depending on the type of security alert. See this page for a description of the types of alerts that come from Defender for Cloud.
properties.Severity	The severity level. Possible values are "High," "Medium," or "Low."
status	String describing the status of the operation. Some common values are: Started, In Progress, Succeeded, Failed, Active, Resolved.
subStatus	Usually null for security events.
eventTimestamp	Timestamp when the event was generated by the Azure service processing the request corresponding the event.
submissionTimestamp	Timestamp when the event became available for querying.
subscriptionId	Azure Subscription ID.

channels

Always “Operation”

correlationId

A GUID in the string format.

description

Static text description of the security event.

eventDataId

Unique identifier of the security event.

eventName

Friendly name of the security event.

category

Always "Security"

Unique resource identifier of the security event.

level

Severity level of the event.

resourceGroupName

Name of the resource group for the resource.

resourceProviderName

Name of the resource provider for Microsoft Defender for Cloud. Always "Microsoft.Security".

resourceType

The type of resource that generated the security event, such as "Microsoft.Security/locations/alerts"

resourceId

Resource ID of the security alert.

operationId

A GUID shared among the events that correspond to a single operation.

operationName

Name of the operation.

properties

Set of <Key, Value> pairs (that is, a Dictionary) describing the details of the event. These properties vary depending on the type of security alert. See this page for a description of the types of alerts that come from Defender for Cloud.

properties.Severity

The severity level. Possible values are "High," "Medium," or "Low."

status

String describing the status of the operation. Some common values are: Started, In Progress, Succeeded, Failed, Active, Resolved.

subStatus

Usually null for security events.

eventTimestamp

Timestamp when the event was generated by the Azure service processing the request corresponding the event.

submissionTimestamp

Timestamp when the event became available for querying.

subscriptionId

Azure Subscription ID.

PreviousAutoscale NextRecommendation

Last updated 26 days ago