Surface custom event details in alerts in Microsoft Sentinel

Scheduled query analytics rules analyze events from data sources connected to Microsoft Sentinel, and produce alerts when the contents of these events are significant from a security perspective. These alerts are further analyzed, grouped, and filtered by Microsoft Sentinel's various engines and distilled into incidents that warrant a SOC analyst's attention. However, when the analyst views the incident, only the properties of the component alerts themselves are immediately visible. Getting to the actual content - the information contained in the events - requires doing some digging.

Using the custom details feature in the analytics rule wizard, you can surface event data in the alerts that are constructed from those events, making the event data part of the alert properties. In effect, this gives you immediate event content visibility in your incidents, enabling you to triage, investigate, draw conclusions, and respond with much greater speed and efficiency.

Use this procedure to add or modify custom details in an existing scheduled query analytics rule. These steps are part of the analytics rule creation wizard but are treated here independently.

Important

After March 31, 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only in the Microsoft Defender portal. All customers using Microsoft Sentinel in the Azure portal will be redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only.

If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender.

How to surface custom event details

Perform the following steps to surface custom event details in an analytics rule.

  1. Enter the Analytics page in the portal through which you access Microsoft Sentinel:

    From the Microsoft Defender navigation menu, expand Microsoft Sentinel, then Configuration. Select Analytics.

  2. Select a scheduled query rule and click Edit. Or create a new rule by clicking Create > Scheduled query rule at the top of the screen.

  3. Click the Set rule logic tab.

  4. In the Alert enrichment section, expand Custom details.

    Find and select custom details

  5. In the expanded Custom details section, add key-value pairs for the details you want to surface:

    1. In the Key field, enter a name of your choosing that will appear as the field name in alerts.

    2. In the Value field, choose the event parameter you wish to surface in the alerts from the drop-down list. This list will be populated by values corresponding to the fields in the tables that are the subject of the rule query.

      Add custom details

  6. To surface more details, click Add new and enter a Key name and select a Value from the drop-down list for each additional key-value pair.

    If you change your mind, or if you made a mistake, you can remove a custom detail by clicking the trash can icon next to the Value drop-down list for that detail.

  7. When you have finished defining custom details, click the Review and create tab. Once the rule validation is successful, click Save.

    Note

    Service limits

    • You can define up to 20 custom details in a single analytics rule. Each custom detail can contain up to 50 values.

    • The combined size limit for all custom details and their values in a single alert is 2 KB. Values in excess of this limit are dropped.

Learn more about alert enrichment and analytics rules in Microsoft Sentinel: