Microsoft Defender XDR (Graph API)
Overview
- Vendor: Microsoft
- Supported environment: SaaS
- Version compatibility:
- Detection based on: Alert
- Supported application or feature: see section below
Microsoft Defender XDR (formerly Microsoft 365 Defender) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
This setup guide describes how to forward events produced by Microsoft Defender XDR (Graph API) to Sekoia.io XDR.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Microsoft Defender XDR event types supported
Here is a list of all the Microsoft Defender XDR event types supported by this integration:
- Alert
- Alert Evidence
Warning
This integration will only collect Alert Info and Alert Evidence. If you need to collect more event types, please use the Microsoft Defender XDR (Microsoft 365 Defender).
Configure
Collect your Tenant ID from your Azure Portal(for more information read (How to find your Microsoft Entra ID (Azure AD) tenant ID).
Create an Azure application
- On the Azure Portal, in the search bar, go to
App registrations - Click
+ New registration - Type a name
- Select
Accounts in this organizational directory onlyoption as account type - Click
Register - From the
Overviewpage, copyApplication (client) IDandDirectory (tenant) ID
Create a client secret
- Go to
Manage>Certificates & secrets - Click
+ New client secret - Type a description and select the desired expiration period
- Click
Add - Copy the
Valueof the client secret
Add permissions
- Go to
Manage>API permissions - Click
Add a permission - On the right panel, Select
Microsoft APIstab - Click
Microsoft Graph - Click
Application permissions - Select the permission:
SecurityAlert.Read.All - Click
Add permissions - In the
API permissionspage, clickGrant admin consent for TENANT_NAME - Click
Yesin theGrant admin consent confirmationmodal
Create an intake
Go to your Sekoia.io Intakes page, and follow these steps:
- Click
+ Intakebutton to create a new one - Choose
Microsoft Defender XDR (Graph API), give it a name and choose the relevant Entity - Edit the intake configuration:
- Type the
Application (client) IDin theclient idfield - Type the
Directory (tenant) IDin thetenant idfield - Type the
Valueof the client secret in theclient secretfield
- Type the
Enjoy your events on the Events page
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"id": "1111111111111111111111111111111",
"providerAlertId": "1111111111111111111111111111111",
"incidentId": "22222",
"status": "new",
"severity": "low",
"classification": "unknown",
"determination": "unknown",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "antivirus",
"detectorId": "00000000-0000-0000-0000-000000000000",
"tenantId": "11111111-1111-1111-1111-111111111111",
"title": "Suspicious execution of hidden file",
"description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",
"recommendedActions": "Collect artifacts and determine scope\n\ufffd\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n\ufffd\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\ufffd\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n\ufffd\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n\ufffd\tContact the user to verify intent and initiate local remediation actions as needed.\n\ufffd\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n\ufffd\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n\ufffd\tIf credential theft is suspected, reset all relevant users passwords.\n\ufffd\tBlock communication with relevant URLs or IPs at the organization\ufffds perimeter.",
"category": "DefenseEvasion",
"assignedTo": null,
"alertWebUrl": "https://security.microsoft.com/alerts/1111111111111111111111111111111?tid=11111111-1111-1111-1111-111111111111",
"incidentWebUrl": "https://security.microsoft.com/incidents/22222?tid=11111111-1111-1111-1111-111111111111",
"actorDisplayName": null,
"threatDisplayName": null,
"threatFamilyName": null,
"mitreTechniques": [
"T1564.001"
],
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",
"resolvedDateTime": null,
"firstActivityDateTime": "2021-04-26T07:45:50.116Z",
"lastActivityDateTime": "2021-05-02T07:56:58.222Z",
"comments": [],
"systemTags": [
"Defender Experts"
]
}
{
"@odata.type": "#microsoft.graph.security.deviceEvidence",
"alertId": "1111111111111111111111111111111",
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",
"mdeDeviceId": "1111111111111111111111111111111111111111",
"azureAdDeviceId": null,
"deviceDnsName": "hostname.local.test",
"hostName": "hostname",
"ntDomain": null,
"dnsDomain": "local.test",
"osPlatform": "Windows10",
"osBuild": 22424,
"version": "Other",
"healthStatus": "active",
"riskScore": "medium",
"rbacGroupId": 75,
"rbacGroupName": "UnassignedGroup",
"onboardingStatus": "onboarded",
"defenderAvStatus": "unknown",
"ipInterfaces": [
"1.1.1.1"
],
"loggedOnUsers": [],
"roles": [
"compromised"
],
"detailedRoles": [
"Main device"
],
"tags": [
"Test Machine"
],
"vmMetadata": {
"vmId": "00000000-0000-0000-0000-000000000000",
"cloudProvider": "azure",
"resourceId": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVirtualMachine",
"subscriptionId": "11111111-1111-1111-1111-111111111111"
}
}
{
"@odata.type": "#microsoft.graph.security.fileEvidence",
"alertId": "1111111111111111111111111111111",
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"detectionStatus": "detected",
"mdeDeviceId": "1111111111111111111111111111111111111111",
"roles": [],
"detailedRoles": [
"Referred in command line"
],
"tags": [],
"fileDetails": {
"sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
"sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"fileName": "MsSense.exe",
"filePath": "C:\\Program Files\\temp",
"fileSize": 6136392,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
}
}
{
"@odata.type": "#microsoft.graph.security.processEvidence",
"alertId": "1111111111111111111111111111111",
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"processId": 4780,
"parentProcessId": 668,
"processCommandLine": "\"MsSense.exe\"",
"processCreationDateTime": "2021-08-12T12:43:19.0772577Z",
"parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",
"detectionStatus": "detected",
"mdeDeviceId": "1111111111111111111111111111111111111111",
"roles": [],
"detailedRoles": [],
"tags": [],
"imageFile": {
"sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
"sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"fileName": "MsSense.exe",
"filePath": "C:\\Program Files\\temp",
"fileSize": 6136392,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
},
"parentProcessImageFile": {
"sha1": null,
"sha256": null,
"fileName": "services.exe",
"filePath": "C:\\Windows\\System32",
"fileSize": 731744,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
},
"userAccount": {
"accountName": "SYSTEM",
"domainName": "NT AUTHORITY",
"userSid": "S-1-5-18",
"azureAdUserId": null,
"userPrincipalName": null,
"displayName": "System"
}
}
{
"@odata.type": "#microsoft.graph.security.registryKeyEvidence",
"alertId": "1111111111111111111111111111111",
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",
"registryHive": "HKEY_LOCAL_MACHINE",
"roles": [],
"detailedRoles": [],
"tags": []
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Binary file metadata |
Microsoft Defender for Endpoint monitors files |
Disk forensics |
Microsoft Defender for Endpoint monitors devices |
File monitoring |
Microsoft Defender for Endpoint monitors files |
Host network interface |
Microsoft Defender for Endpoint monitors devices |
Kernel drivers |
Microsoft Defender for Endpoint monitors processes |
Loaded DLLs |
Microsoft Defender for Endpoint monitors processes |
Named Pipes |
Microsoft Defender for Endpoint monitors processes |
PowerShell logs |
Microsoft Defender for Endpoint monitors processes |
Process command-line parameters |
Microsoft Defender for Endpoint monitors processes |
Process monitoring |
Microsoft Defender for Endpoint monitors processes |
Process use of network |
Microsoft Defender for Endpoint monitors processes |
Services |
Microsoft Defender for Endpoint monitors processes |
Windows event logs |
Microsoft Defender for Endpoint watch events logs |
Windows Registry |
Microsoft Defender for Endpoint monitors the registry |
WMI Objects |
Microsoft Defender for Endpoint monitors processes |
Email gateway |
Microsoft Defender for O365 monitors emails |
OAuth audit logs |
Microsoft Defender for Cloud App monitors users, entity behavior and activities |
Authentication logs |
Microsoft Defender for Identity monitors users, entity behavior and activities |
Asset management |
Microsoft Defender for Identity monitors users identity and credentials |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert, enrichment |
| Category | threat |
| Type | indicator, info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"id\": \"1111111111111111111111111111111\", \"providerAlertId\": \"1111111111111111111111111111111\", \"incidentId\": \"22222\", \"status\": \"new\", \"severity\": \"low\", \"classification\": \"unknown\", \"determination\": \"unknown\", \"serviceSource\": \"microsoftDefenderForEndpoint\", \"detectionSource\": \"antivirus\", \"detectorId\": \"00000000-0000-0000-0000-000000000000\", \"tenantId\": \"11111111-1111-1111-1111-111111111111\", \"title\": \"Suspicious execution of hidden file\", \"description\": \"A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.\", \"recommendedActions\": \"Collect artifacts and determine scope\\n\\ufffd\\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \\n\\ufffd\\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n\\ufffd\\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\\n\\ufffd\\tSubmit undetected files to the MMPC malware portal\\n\\nInitiate containment & mitigation \\n\\ufffd\\tContact the user to verify intent and initiate local remediation actions as needed.\\n\\ufffd\\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\\n\\ufffd\\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\\n\\ufffd\\tIf credential theft is suspected, reset all relevant users passwords.\\n\\ufffd\\tBlock communication with relevant URLs or IPs at the organization\\ufffds perimeter.\", \"category\": \"DefenseEvasion\", \"assignedTo\": null, \"alertWebUrl\": \"https://security.microsoft.com/alerts/1111111111111111111111111111111?tid=11111111-1111-1111-1111-111111111111\", \"incidentWebUrl\": \"https://security.microsoft.com/incidents/22222?tid=11111111-1111-1111-1111-111111111111\", \"actorDisplayName\": null, \"threatDisplayName\": null, \"threatFamilyName\": null, \"mitreTechniques\": [\"T1564.001\"], \"createdDateTime\": \"2021-04-27T12:19:27.7211305Z\", \"lastUpdateDateTime\": \"2021-05-02T14:19:01.3266667Z\", \"resolvedDateTime\": null, \"firstActivityDateTime\": \"2021-04-26T07:45:50.116Z\", \"lastActivityDateTime\": \"2021-05-02T07:56:58.222Z\", \"comments\": [], \"systemTags\": [\"Defender Experts\"]}",
"event": {
"category": [
"threat"
],
"dataset": "alert_info",
"end": "2021-05-02T07:56:58.222000Z",
"kind": "alert",
"reason": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",
"reference": "https://security.microsoft.com/alerts/1111111111111111111111111111111?tid=11111111-1111-1111-1111-111111111111",
"start": "2021-04-26T07:45:50.116000Z",
"type": [
"info"
]
},
"@timestamp": "2021-04-27T12:19:27.721130Z",
"microsoft": {
"defender": {
"alert": {
"id": "1111111111111111111111111111111",
"recommendedActions": "Collect artifacts and determine scope\n\ufffd\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n\ufffd\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\ufffd\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n\ufffd\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n\ufffd\tContact the user to verify intent and initiate local remediation actions as needed.\n\ufffd\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n\ufffd\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n\ufffd\tIf credential theft is suspected, reset all relevant users passwords.\n\ufffd\tBlock communication with relevant URLs or IPs at the organization\ufffds perimeter.",
"severity": "low",
"status": "new",
"title": "Suspicious execution of hidden file"
},
"incident": {
"id": "22222",
"reference": "https://security.microsoft.com/incidents/22222?tid=11111111-1111-1111-1111-111111111111"
},
"threat": {
"category": "DefenseEvasion"
}
}
},
"organization": {
"id": "11111111-1111-1111-1111-111111111111"
},
"service": {
"name": "microsoftDefenderForEndpoint",
"type": "antivirus"
},
"threat": {
"technique": {
"id": [
"T1564.001"
]
}
}
}
{
"message": "{\"@odata.type\": \"#microsoft.graph.security.deviceEvidence\", \"alertId\": \"1111111111111111111111111111111\", \"createdDateTime\": \"2021-04-27T12:19:27.7211305Z\", \"verdict\": \"unknown\", \"remediationStatus\": \"none\", \"remediationStatusDetails\": null, \"firstSeenDateTime\": \"2020-09-12T07:28:32.4321753Z\", \"mdeDeviceId\": \"1111111111111111111111111111111111111111\", \"azureAdDeviceId\": null, \"deviceDnsName\": \"hostname.local.test\", \"hostName\": \"hostname\", \"ntDomain\": null, \"dnsDomain\": \"local.test\", \"osPlatform\": \"Windows10\", \"osBuild\": 22424, \"version\": \"Other\", \"healthStatus\": \"active\", \"riskScore\": \"medium\", \"rbacGroupId\": 75, \"rbacGroupName\": \"UnassignedGroup\", \"onboardingStatus\": \"onboarded\", \"defenderAvStatus\": \"unknown\", \"ipInterfaces\": [\"1.1.1.1\"], \"loggedOnUsers\": [], \"roles\": [\"compromised\"], \"detailedRoles\": [\"Main device\"], \"tags\": [\"Test Machine\"], \"vmMetadata\": {\"vmId\": \"00000000-0000-0000-0000-000000000000\", \"cloudProvider\": \"azure\", \"resourceId\": \"/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVirtualMachine\", \"subscriptionId\": \"11111111-1111-1111-1111-111111111111\"}}",
"event": {
"category": [
"threat"
],
"dataset": "alert_evidence",
"kind": "enrichment",
"type": [
"indicator"
]
},
"@timestamp": "2021-04-27T12:19:27.721130Z",
"cloud": {
"entity": {
"id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVirtualMachine"
},
"instance": {
"id": "00000000-0000-0000-0000-000000000000"
},
"provider": "azure"
},
"host": {
"id": "1111111111111111111111111111111111111111",
"ip": [
"1.1.1.1"
],
"name": "hostname.local.test",
"os": {
"full": "Windows10",
"version": "22424"
}
},
"microsoft": {
"defender": {
"alert": {
"id": "1111111111111111111111111111111"
},
"device": {
"health_status": "active",
"onboarding_status": "onboarded"
},
"entity": {
"subscription_id": "11111111-1111-1111-1111-111111111111"
},
"evidence": {
"role": "compromised",
"roles": [
"compromised"
],
"type": "deviceEvidence"
},
"threat": {
"severity": "medium",
"suspicion_level": "Compromised"
}
}
},
"related": {
"ip": [
"1.1.1.1"
]
}
}
{
"message": "{\"@odata.type\": \"#microsoft.graph.security.fileEvidence\", \"alertId\": \"1111111111111111111111111111111\", \"createdDateTime\": \"2021-04-27T12:19:27.7211305Z\", \"verdict\": \"unknown\", \"remediationStatus\": \"none\", \"remediationStatusDetails\": null, \"detectionStatus\": \"detected\", \"mdeDeviceId\": \"1111111111111111111111111111111111111111\", \"roles\": [], \"detailedRoles\": [\"Referred in command line\"], \"tags\": [], \"fileDetails\": {\"sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\", \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"fileName\": \"MsSense.exe\", \"filePath\": \"C:\\\\Program Files\\\\temp\", \"fileSize\": 6136392, \"filePublisher\": \"Microsoft Corporation\", \"signer\": null, \"issuer\": null}}",
"event": {
"category": [
"threat"
],
"dataset": "alert_evidence",
"kind": "enrichment",
"type": [
"indicator"
]
},
"@timestamp": "2021-04-27T12:19:27.721130Z",
"file": {
"directory": "C:\\Program Files\\temp",
"hash": {
"sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
"sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
},
"name": "MsSense.exe",
"path": "C:\\Program Files\\temp\\MsSense.exe",
"pe": {
"company": "Microsoft Corporation"
},
"size": 6136392
},
"host": {
"id": "1111111111111111111111111111111111111111"
},
"microsoft": {
"defender": {
"alert": {
"id": "1111111111111111111111111111111"
},
"evidence": {
"type": "fileEvidence"
},
"threat": {
"detection_status": "detected"
}
}
},
"related": {
"hash": [
"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc"
]
}
}
{
"message": "{\"@odata.type\": \"#microsoft.graph.security.processEvidence\", \"alertId\": \"1111111111111111111111111111111\", \"createdDateTime\": \"2021-04-27T12:19:27.7211305Z\", \"verdict\": \"unknown\", \"remediationStatus\": \"none\", \"remediationStatusDetails\": null, \"processId\": 4780, \"parentProcessId\": 668, \"processCommandLine\": \"\\\"MsSense.exe\\\"\", \"processCreationDateTime\": \"2021-08-12T12:43:19.0772577Z\", \"parentProcessCreationDateTime\": \"2021-08-12T07:39:09.0909239Z\", \"detectionStatus\": \"detected\", \"mdeDeviceId\": \"1111111111111111111111111111111111111111\", \"roles\": [], \"detailedRoles\": [], \"tags\": [], \"imageFile\": {\"sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\", \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"fileName\": \"MsSense.exe\", \"filePath\": \"C:\\\\Program Files\\\\temp\", \"fileSize\": 6136392, \"filePublisher\": \"Microsoft Corporation\", \"signer\": null, \"issuer\": null}, \"parentProcessImageFile\": {\"sha1\": null, \"sha256\": null, \"fileName\": \"services.exe\", \"filePath\": \"C:\\\\Windows\\\\System32\", \"fileSize\": 731744, \"filePublisher\": \"Microsoft Corporation\", \"signer\": null, \"issuer\": null}, \"userAccount\": {\"accountName\": \"SYSTEM\", \"domainName\": \"NT AUTHORITY\", \"userSid\": \"S-1-5-18\", \"azureAdUserId\": null, \"userPrincipalName\": null, \"displayName\": \"System\"}}",
"event": {
"category": [
"threat"
],
"dataset": "alert_evidence",
"kind": "enrichment",
"type": [
"indicator"
]
},
"@timestamp": "2021-04-27T12:19:27.721130Z",
"file": {
"directory": "C:\\Program Files\\temp",
"hash": {
"sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
"sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
},
"name": "MsSense.exe",
"path": "C:\\Program Files\\temp\\MsSense.exe",
"pe": {
"company": "Microsoft Corporation"
},
"size": 6136392
},
"host": {
"id": "1111111111111111111111111111111111111111"
},
"microsoft": {
"defender": {
"alert": {
"id": "1111111111111111111111111111111"
},
"evidence": {
"type": "processEvidence"
},
"threat": {
"detection_status": "detected"
}
}
},
"process": {
"command_line": "\"MsSense.exe\"",
"name": "MsSense.exe",
"parent": {
"pid": 668,
"start": "2021-08-12T07:39:09.090923Z"
},
"pid": 4780,
"start": "2021-08-12T12:43:19.077257Z"
},
"related": {
"hash": [
"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc"
],
"user": [
"SYSTEM"
]
},
"user": {
"domain": "NT AUTHORITY",
"full_name": "System",
"id": "S-1-5-18",
"name": "SYSTEM"
}
}
{
"message": "{\"@odata.type\": \"#microsoft.graph.security.registryKeyEvidence\", \"alertId\": \"1111111111111111111111111111111\", \"createdDateTime\": \"2021-04-27T12:19:27.7211305Z\", \"verdict\": \"unknown\", \"remediationStatus\": \"none\", \"remediationStatusDetails\": null, \"registryKey\": \"SYSTEM\\\\CONTROLSET001\\\\CONTROL\\\\WMI\\\\AUTOLOGGER\\\\SENSEAUDITLOGGER\", \"registryHive\": \"HKEY_LOCAL_MACHINE\", \"roles\": [], \"detailedRoles\": [], \"tags\": []}",
"event": {
"category": [
"threat"
],
"dataset": "alert_evidence",
"kind": "enrichment",
"type": [
"indicator"
]
},
"@timestamp": "2021-04-27T12:19:27.721130Z",
"microsoft": {
"defender": {
"alert": {
"id": "1111111111111111111111111111111"
},
"evidence": {
"type": "registryKeyEvidence"
}
}
},
"registry": {
"hive": "HKLM",
"key": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",
"path": "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
cloud.entity.id |
keyword |
|
cloud.instance.id |
keyword |
Instance ID of the host machine. |
cloud.provider |
keyword |
Name of the cloud provider. |
container.id |
keyword |
Unique container id. |
container.name |
keyword |
Container name. |
destination.ip |
ip |
IP address of the destination. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.reference |
keyword |
Event reference URL |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.directory |
keyword |
Directory where the file is located. |
file.hash.sha1 |
keyword |
SHA1 hash. |
file.hash.sha256 |
keyword |
SHA256 hash. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
file.pe.company |
keyword |
Internal company name of the file, provided at compile-time. |
file.size |
long |
File size in bytes. |
host.id |
keyword |
Unique host id. |
host.ip |
ip |
Host ip addresses. |
host.name |
keyword |
Name of the host. |
host.os.full |
keyword |
Operating system name, including the version or code name. |
host.os.version |
keyword |
Operating system version as a raw string. |
microsoft.defender.alert.classification |
keyword |
Specifies whether the alert represents a true threat |
microsoft.defender.alert.determination |
keyword |
Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack |
microsoft.defender.alert.id |
keyword |
Unique identifier for the alert |
microsoft.defender.alert.recommendedActions |
keyword |
Recommended response and remediation actions to take in the event this alert was generated |
microsoft.defender.alert.severity |
keyword |
The severity of the alert |
microsoft.defender.alert.status |
keyword |
The status of the alert |
microsoft.defender.alert.title |
keyword |
The title of the alert |
microsoft.defender.device.health_status |
keyword |
The health state of the device |
microsoft.defender.device.onboarding_status |
keyword |
The status of the machine onboarding to Microsoft Defender for Endpoint |
microsoft.defender.entity.subscription_id |
keyword |
Unique identifier of the Azure subscription the customer tenant belongs to |
microsoft.defender.evidence.role |
keyword |
The role that an evidence entity represents in an alert |
microsoft.defender.evidence.roles |
keyword |
The roles that an evidence entity represents in an alert |
microsoft.defender.evidence.type |
keyword |
The type of the evidence |
microsoft.defender.incident.id |
keyword |
Unique identifier to represent the incident this alert resource is associated with |
microsoft.defender.incident.reference |
keyword |
URL for the incident page in the Microsoft 365 Defender portal |
microsoft.defender.threat.category |
keyword |
The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework |
microsoft.defender.threat.detection_status |
keyword |
The status of the detection |
microsoft.defender.threat.family |
keyword |
Threat family associated with this alert |
microsoft.defender.threat.last_remediation_state |
keyword |
|
microsoft.defender.threat.name |
keyword |
The threat associated with this alert |
microsoft.defender.threat.severity |
keyword |
Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
microsoft.defender.threat.suspicion_level |
keyword |
The status of the detection |
organization.id |
keyword |
Unique identifier for the organization. |
process.args |
keyword |
Array of process arguments. |
process.command_line |
wildcard |
Full command line that started the process. |
process.name |
keyword |
Process name. |
process.parent.pid |
long |
Process id. |
process.parent.start |
date |
The time the process started. |
process.pid |
long |
Process id. |
process.start |
date |
The time the process started. |
registry.data.bytes |
keyword |
Original bytes written with base64 encoding. |
registry.data.strings |
wildcard |
List of strings representing what was written to the registry. |
registry.data.type |
keyword |
Standard registry type for encoding contents |
registry.key |
keyword |
Hive-relative path of keys. |
registry.path |
keyword |
Full path, including hive, key and value |
registry.value |
keyword |
Name of the value written. |
service.name |
keyword |
Name of the service. |
service.type |
keyword |
The type of the service. |
source.ip |
ip |
IP address of the source. |
threat.technique.id |
keyword |
Threat technique id. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.email |
keyword |
User email address. |
user.full_name |
keyword |
User's full name, if available. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.