<span class="pill kill-chain">actorName</span>
<span class="pill kill-chain">alertId</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">assignedTo</span>
<span class="pill kill-chain">body</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">classification</span>
<span class="pill kill-chain">creationTime</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">description</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">detectionSource</span>
<span class="pill kill-chain">detectorId</span>
<span class="pill kill-chain">determination</span>
<span class="pill kill-chain">devices{}.aadDeviceId</span>
<span class="pill kill-chain">devices{}.defenderAvStatus</span>
<span class="pill kill-chain">devices{}.deviceDnsName</span>
<span class="pill kill-chain">devices{}.firstSeen</span>
<span class="pill kill-chain">devices{}.healthStatus</span>
<span class="pill kill-chain">devices{}.loggedOnUsers{}.accountName</span>
<span class="pill kill-chain">devices{}.loggedOnUsers{}.domainName</span>
<span class="pill kill-chain">devices{}.mdatpDeviceId</span>
<span class="pill kill-chain">devices{}.onboardingStatus</span>
<span class="pill kill-chain">devices{}.osBuild</span>
<span class="pill kill-chain">devices{}.osPlatform</span>
<span class="pill kill-chain">devices{}.osProcessor</span>
<span class="pill kill-chain">devices{}.rbacGroupName</span>
<span class="pill kill-chain">devices{}.riskScore</span>
<span class="pill kill-chain">devices{}.version</span>
<span class="pill kill-chain">devices{}.vmMetadata</span>
<span class="pill kill-chain">devices{}.vmMetadata.cloudProvider</span>
<span class="pill kill-chain">devices{}.vmMetadata.resourceId</span>
<span class="pill kill-chain">devices{}.vmMetadata.subscriptionId</span>
<span class="pill kill-chain">devices{}.vmMetadata.vmId</span>
<span class="pill kill-chain">entities{}.aadUserId</span>
<span class="pill kill-chain">entities{}.accountName</span>
<span class="pill kill-chain">entities{}.applicationId</span>
<span class="pill kill-chain">entities{}.applicationName</span>
<span class="pill kill-chain">entities{}.detectionStatus</span>
<span class="pill kill-chain">entities{}.deviceId</span>
<span class="pill kill-chain">entities{}.domainName</span>
<span class="pill kill-chain">entities{}.entityType</span>
<span class="pill kill-chain">entities{}.evidenceCreationTime</span>
<span class="pill kill-chain">entities{}.fileName</span>
<span class="pill kill-chain">entities{}.filePath</span>
<span class="pill kill-chain">entities{}.ipAddress</span>
<span class="pill kill-chain">entities{}.parentProcessCreationTime</span>
<span class="pill kill-chain">entities{}.parentProcessFileName</span>
<span class="pill kill-chain">entities{}.parentProcessFilePath</span>
<span class="pill kill-chain">entities{}.parentProcessId</span>
<span class="pill kill-chain">entities{}.processCommandLine</span>
<span class="pill kill-chain">entities{}.processCreationTime</span>
<span class="pill kill-chain">entities{}.processId</span>
<span class="pill kill-chain">entities{}.remediationStatus</span>
<span class="pill kill-chain">entities{}.remediationStatusDetails</span>
<span class="pill kill-chain">entities{}.sha1</span>
<span class="pill kill-chain">entities{}.sha256</span>
<span class="pill kill-chain">entities{}.userPrincipalName</span>
<span class="pill kill-chain">entities{}.userSid</span>
<span class="pill kill-chain">entities{}.verdict</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">firstActivity</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">incidentId</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">investigationId</span>
<span class="pill kill-chain">investigationState</span>
<span class="pill kill-chain">lastActivity</span>
<span class="pill kill-chain">lastUpdatedTime</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">mitreTechniques{}</span>
<span class="pill kill-chain">mitre_technique_id</span>
<span class="pill kill-chain">providerAlertId</span>
<span class="pill kill-chain">resolvedTime</span>
<span class="pill kill-chain">serviceSource</span>
<span class="pill kill-chain">severity</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">subject</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::app</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">threatFamilyName</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">title</span>
<span class="pill kill-chain">type</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_name</span>
<span class="pill kill-chain">_bkt</span>
<span class="pill kill-chain">_cd</span>
<span class="pill kill-chain">_eventtype_color</span>
<span class="pill kill-chain">_indextime</span>
<span class="pill kill-chain">_raw</span>
<span class="pill kill-chain">_serial</span>
<span class="pill kill-chain">_si</span>
<span class="pill kill-chain">_sourcetype</span>
<span class="pill kill-chain">_subsecond</span>
<span class="pill kill-chain">_time</span>
</div>
Data Source: MS365 Defender Incident Alerts
Description
Data source object for MS365 Defender Incident Alerts
Details
Property | Value |
---|---|
Source | ms365_defender_incident_alerts |
Sourcetype | ms365:defender:incident:alerts |
Supported Apps
- Splunk Add-on for Microsoft Security (version 2.4.0)
Event Fields
Example Log
1{
2 "alertId": "da638001130101730338_582949328",
3 "providerAlertId": "da638001130101730338_582949328",
4 "incidentId": 486,
5 "serviceSource": "MicrosoftDefenderForEndpoint",
6 "creationTime": "2022-09-30T05:36:50.1732198Z",
7 "lastUpdatedTime": "2022-11-19T01:35:42.7033333Z",
8 "resolvedTime": "2022-10-01T01:36:00.5066667Z",
9 "firstActivity": "2022-09-30T05:06:43.8196597Z",
10 "lastActivity": "2022-09-30T05:06:43.8196597Z",
11 "title": "Suspicious URL clicked",
12 "description": "A user opened a potentially malicious URL. This alert was triggered based on a Microsoft Defender for Office 365 alert.",
13 "category": "InitialAccess",
14 "status": "Resolved",
15 "severity": "High",
16 "investigationId": null,
17 "investigationState": "UnsupportedAlertType",
18 "classification": "TruePositive",
19 "determination": "SecurityTesting",
20 "detectionSource": "MTP",
21 "detectorId": "359b36eb-337c-4f1c-b280-8c5e08f9c4a0",
22 "assignedTo": "msftadmin@metal.m365dpoc.com",
23 "actorName": null,
24 "threatFamilyName": null,
25 "mitreTechniques": [
26 "T1566.002"
27 ],
28 "devices": [
29 {
30 "mdatpDeviceId": "c7e147cb0eb3534a4dcea5acb8e61c933713b145",
31 "aadDeviceId": null,
32 "deviceDnsName": "metal-win10v.metal.m365dpoc.com",
33 "osPlatform": "Windows10",
34 "version": "1809",
35 "osProcessor": "x64",
36 "osBuild": 17763,
37 "healthStatus": "Active",
38 "riskScore": "High",
39 "rbacGroupName": "Full Auto Clients",
40 "firstSeen": "2022-08-08T08:51:02.455Z",
41 "tags": [
42 "Full auto"
43 ],
44 "defenderAvStatus": "Updated",
45 "onboardingStatus": "Onboarded",
46 "vmMetadata": {
47 "vmId": "17881b39-b03f-4a2c-9b56-078be1330bd0",
48 "cloudProvider": "Unknown",
49 "resourceId": "/subscriptions/29e73d07-8740-4164-a257-592a19a7b77c/resourceGroups/MSDXV2/providers/Microsoft.Compute/virtualMachines/MSDXV2-Win10V",
50 "subscriptionId": "29e73d07-8740-4164-a257-592a19a7b77c"
51 },
52 "loggedOnUsers": [
53 {
54 "accountName": "hetfield",
55 "domainName": "MSDXV2"
56 }
57 ]
58 }
59 ],
60 "entities": [
61 {
62 "entityType": "Process",
63 "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
64 "verdict": "Suspicious",
65 "remediationStatus": "None",
66 "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
67 "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
68 "fileName": "powershell.exe",
69 "filePath": "",
70 "processId": 7068,
71 "processCommandLine": "powershell.exe -command \" $Process = New-Object System.Diagnostics.Process; $Process.StartInfo.FileName = 'https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgcajebahdi.corporatelogon.xyz%2Fab%2Fjnkmbkkdnlgedc&data=05%7C01%7Chetfield%40metal.m365dpoc.com%7Cca409616a82145bd6a5f08daa2a10255%7C1a49212958c8401191cd245285f5345c%7C0%7C0%7C638001109710345383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FyEjRS5qOd2SkJELlueibuxLFMYNjL7fz8EbuOAvFwg%3D&reserved=0'; $Process.StartInfo.UseShellExecute = $true; $Process.Start() | Out-Null; \" ",
72 "processCreationTime": "2022-09-30T05:06:43.3390523Z",
73 "parentProcessId": 7116,
74 "parentProcessCreationTime": "2022-09-30T05:06:43.3100364Z",
75 "accountName": "hetfield",
76 "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104"
77 },
78 {
79 "entityType": "File",
80 "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
81 "verdict": "Suspicious",
82 "remediationStatus": "None",
83 "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c",
84 "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
85 "fileName": "powershell.exe",
86 "filePath": ""
87 },
88 {
89 "entityType": "User",
90 "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
91 "verdict": "Suspicious",
92 "remediationStatus": "None",
93 "accountName": "hetfield",
94 "domainName": "metal.m365dpoc",
95 "userSid": "S-1-5-21-2300221942-1987151257-321556088-1104",
96 "aadUserId": "e848b07a-87af-4448-9979-09f0b809c8d4",
97 "userPrincipalName": "daftpunk"
98 },
99 {
100 "entityType": "Url",
101 "evidenceCreationTime": "2022-09-30T05:36:50.2133333Z",
102 "verdict": "Suspicious",
103 "remediationStatus": "None",
104 "url": "http://gcajebahdi.corporatelogon.xyz/ab/jnkmbkkdnlgedc"
105 }
106 ]
107}
Source: GitHub | Version: 1