MicrosoftDocs
Schema for alerts not matching with documentation when sent to EventHubs and pulled via SDK/API
This is regarding an issue we've encountered while exporting security alerts from Microsoft Defender for Cloud to Azure EventHub. Here are the details of the issue:
- We are currently sending security alerts from Microsoft Defender for Cloud to Azure EventHub. However, we have noticed that the schema of these alerts does not match when we retrieve them from EventHubs using SDKs/APIs as mentioned in this doc [The alerts API]
- Our understanding, based on this documentation, is that Defender for Cloud security alerts sent to EventHubs should adhere to the schema outlined in the alerts API documentation. Contrary to our expectations, the schema we observe from our console resembles the schema used for Log Analytics, but not exactly same.
- To facilitate resolution, we have attached a sample log received from the EventHub for your reference.
We are uncertain whether our understanding is incorrect or if there might be a discrepancy in the documentation.
We kindly request your assistance in clarifying this matter and providing guidance on how to ensure the consistency of the schema for security alerts exported to Azure EventHub.
Also, wanted to know whether this behavior would be also true to all other customers or not
Your prompt attention to this request would be greatly appreciated
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 91ab6818-9668-8b2f-2c70-409f62292a9b
- Version Independent ID: 7ea06d89-fe9b-2619-527f-1864ad78a86b
- Content: Schemas for the Microsoft Defender for Cloud alerts - Microsoft Defender for Cloud
- Content Source: articles/defender-for-cloud/alerts-schemas.md
- Service: defender-for-cloud
- GitHub Login: @dcurwin
- Microsoft Alias: dacurwin
@saurabh-metron Thanks for your feedback! We will investigate and update as appropriate.
@saurabh-metron Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly.
@saurabh-metron This isn't a documentation issue and requires further investigation. The best way to get help is to open a support ticket.
