How to Obtain the Raw Alert Data in Defender for Cloud

A recently released feature for Defender for Cloud allows security teams to capture the raw alert data for further investigation.

To do this…

[1] Locate the Security Alert from which you want the alert and click the Copy alert JSON link.

Copy alert JSON

[2] Paste the JSON from the clipboard to another location. I’m using Notepad…

JSON – yay!


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]

[Learn KQL with the Must Learn KQL series and book]


Leave a Reply