| ID | Technique | Tactic |
|---|
Detection: Microsoft Defender ATP Alerts
Description
The following analytic is to leverage alerts from Microsoft Defender ATP Alerts. This query aggregates and summarizes all alerts from Microsoft Defender ATP Alerts, providing details such as the source, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk obejct, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a dynamic mapping to set the risk score in Enterprise Security based on the severity of the alert.
Search
1 `ms_defender_atp_alerts` (dest=* OR user=*)
2| eval tmp_evidence=json_extract(_raw, "evidence"), tmp_evidencemv=json_array_to_mv(tmp_evidence), entityType = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "entityType")), filePath = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "filePath")), processCommandLine = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "processCommandLine")), ipAddress = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "ipAddress")), registryKey = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "registryKey")), url = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "url")), fileName = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "fileName"))
3| eval tmp_evidencemv=mvfilter(json_extract(tmp_evidencemv, "entityType") = "File"), fileName = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "fileName"))
4| eval risk_score=case(severity="informational", 5, severity="low", 15, severity="medium", 25, severity="high", 50 , true(), 2)
5| eval processCommandLine=if(processCommandLine="null", "", processCommandLine), ipAddress=if(ipAddress="null", "", ipAddress), registryKey=if(registryKey="null", "", registryKey), url=if(url="null", "", url)
6| stats count min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score by id description src
7| `security_content_ctime(firstTime)`
8| `security_content_ctime(lastTime)`
9| `microsoft_defender_atp_alerts_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| MS Defender ATP Alerts | N/A | 'ms:defender:atp:alerts' |
'ms_defender_atp_alerts' |
Macros Used
| Name | Value |
|---|---|
| ms_defender_atp_alerts | sourcetype=ms:defender:atp:alerts |
| microsoft_defender_atp_alerts_filter | search * |
microsoft_defender_atp_alerts_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
NistCategory.DE_CM
Cis18Value.CIS_10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsoft Security. This add-on will collect alerts using the ms:defender:atp:alerts sourcetype. You will need to define the ms_defender_atp_alerts macro to point to the proper index that contains the ms:defender:atp:alerts sourcetype. NOTE - We also have a detection named Detect Critical Alerts from Security Tools that triggers on the same data and is written against the Alerts datamodel. Enabling both of these detections will result in duplicate risk/notable events, we recommend enabling only one of these detections.
Known False Positives
False positives may vary based on Microsfot Defender configuration; monitor and filter out the alerts that are not relevant to your environment.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| $severity$ alert for $src$ - $signature$ | 81 | 90 | 90 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
-
https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents?view=o365-worldwide
-
https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | ms_defender_atp_alerts |
ms:defender:atp:alerts |
| Integration | ✅ Passing | Dataset | ms_defender_atp_alerts |
ms:defender:atp:alerts |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1