Generally, the purpose of “alert enrichment” is to allow customization of the Alert created from the detection.
The main goal is to reduce the time it takes to the analyst to triage and handle the incident. The same applies for “Alert details” dynamic content. In Azure Sentinel when you create a detection (an analytics rule), the rule name (and the description, MITRE tactics and severity) will populate the alerts created from that rule. Now let’s try and examine the following case study to see how we can leverage the “Alert details” dynamic content for better investigation and incident handling.
I found this feature very interesting. I'm structuring SIEM to bring a dynamic description of the alert, so this function was great. The bad point is that it is possible to use only 3 columns in the description. I imagine that in the future it should expand this number.