<span class="pill kill-chain">column</span>
<span class="pill kill-chain">accountName</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">activity</span>
<span class="pill kill-chain">activityType</span>
<span class="pill kill-chain">actor</span>
<span class="pill kill-chain">actorName</span>
<span class="pill kill-chain">alertId</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">assignedTo</span>
<span class="pill kill-chain">body</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">classification</span>
<span class="pill kill-chain">creationTime</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">description</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">detectionSource</span>
<span class="pill kill-chain">detectorId</span>
<span class="pill kill-chain">determination</span>
<span class="pill kill-chain">devices{}.aadDeviceId</span>
<span class="pill kill-chain">devices{}.defenderAvStatus</span>
<span class="pill kill-chain">devices{}.deviceDnsName</span>
<span class="pill kill-chain">devices{}.firstSeen</span>
<span class="pill kill-chain">devices{}.healthStatus</span>
<span class="pill kill-chain">devices{}.loggedOnUsers{}.accountName</span>
<span class="pill kill-chain">devices{}.loggedOnUsers{}.domainName</span>
<span class="pill kill-chain">devices{}.mdatpDeviceId</span>
<span class="pill kill-chain">devices{}.onboardingStatus</span>
<span class="pill kill-chain">devices{}.osBuild</span>
<span class="pill kill-chain">devices{}.osPlatform</span>
<span class="pill kill-chain">devices{}.osProcessor</span>
<span class="pill kill-chain">devices{}.rbacGroupName</span>
<span class="pill kill-chain">devices{}.riskScore</span>
<span class="pill kill-chain">devices{}.version</span>
<span class="pill kill-chain">devices{}.vmMetadata</span>
<span class="pill kill-chain">devices{}.vmMetadata.cloudProvider</span>
<span class="pill kill-chain">devices{}.vmMetadata.resourceId</span>
<span class="pill kill-chain">devices{}.vmMetadata.subscriptionId</span>
<span class="pill kill-chain">devices{}.vmMetadata.vmId</span>
<span class="pill kill-chain">entities{}.aadUserId</span>
<span class="pill kill-chain">entities{}.accountName</span>
<span class="pill kill-chain">entities{}.applicationId</span>
<span class="pill kill-chain">entities{}.applicationName</span>
<span class="pill kill-chain">entities{}.detectionStatus</span>
<span class="pill kill-chain">entities{}.deviceId</span>
<span class="pill kill-chain">entities{}.domainName</span>
<span class="pill kill-chain">entities{}.entityType</span>
<span class="pill kill-chain">entities{}.evidenceCreationTime</span>
<span class="pill kill-chain">entities{}.fileName</span>
<span class="pill kill-chain">entities{}.filePath</span>
<span class="pill kill-chain">entities{}.ipAddress</span>
<span class="pill kill-chain">entities{}.parentProcessCreationTime</span>
<span class="pill kill-chain">entities{}.parentProcessFileName</span>
<span class="pill kill-chain">entities{}.parentProcessFilePath</span>
<span class="pill kill-chain">entities{}.parentProcessId</span>
<span class="pill kill-chain">entities{}.processCommandLine</span>
<span class="pill kill-chain">entities{}.processCreationTime</span>
<span class="pill kill-chain">entities{}.processId</span>
<span class="pill kill-chain">entities{}.remediationStatus</span>
<span class="pill kill-chain">entities{}.remediationStatusDetails</span>
<span class="pill kill-chain">entities{}.sha1</span>
<span class="pill kill-chain">entities{}.sha256</span>
<span class="pill kill-chain">entities{}.userPrincipalName</span>
<span class="pill kill-chain">entities{}.userSid</span>
<span class="pill kill-chain">entities{}.verdict</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">firstActivity</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">incidentId</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">investigationId</span>
<span class="pill kill-chain">investigationState</span>
<span class="pill kill-chain">lastActivity</span>
<span class="pill kill-chain">lastUpdatedTime</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">mitreTechniques{}</span>
<span class="pill kill-chain">mitre_technique_id</span>
<span class="pill kill-chain">providerAlertId</span>
<span class="pill kill-chain">resolvedTime</span>
<span class="pill kill-chain">serviceSource</span>
<span class="pill kill-chain">severity</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">subject</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::app</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">threatFamilyName</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">title</span>
<span class="pill kill-chain">type</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_name</span>
<span class="pill kill-chain">_time</span>
</div>
Data Source: MS Defender ATP Alerts
Description
Data source object for Microsoft Defender ATP Alerts
Details
| Property | Value |
|---|---|
| Source | ms_defender_atp_alerts |
| Sourcetype | ms:defender:atp:alerts |
Supported Apps
- Splunk Add-on for Microsoft Security (version 2.4.0)
Event Fields
Fields
Example Log
1{
2"id": "da47dc5671-e560-4229-984b-457564996b31_1",
3"incidentId": 989,
4"investigationId": null,
5"assignedTo": null,
6"severity": "High",
7"status": "New",
8"classification": null,
9"determination": null,
10"investigationState": "UnsupportedAlertType",
11"detectionSource": "WindowsDefenderAtp",
12"detectorId": "9c3a70ec-e18a-4f92-865a-530f73130b7c",
13"category": "LateralMovement",
14"threatFamilyName": null,
15"title": "Ongoing hands-on-keyboard attack via Impacket toolkit",
16"description": "Suspicious execution of a command via Impacket was observed on this device. This tool connects to other hosts to explore network shares and execute commands. Attackers might be attempting to move laterally across the network using this tool. This usage of Impacket has often been observed in hands-on-keyboard attacks, where ransomware and other payloads are installed on target devices.",
17"alertCreationTime": "2023-01-24T05:33:37.3245808Z",
18"firstEventTime": "2023-01-24T05:31:07.5276179Z",
19"lastEventTime": "2023-01-24T13:02:50.7831636Z",
20"lastUpdateTime": "2023-01-24T13:07:13.3233333Z",
21"resolvedTime": null,
22"machineId": "302293d9f276eae65553e5042156bce93cbc7148",
23"computerDnsName": "diytestmachine",
24"rbacGroupName": "UnassignedGroup",
25"aadTenantId": "1a492129-58c8-4011-91cd-245285f5345c",
26"threatName": null,
27"mitreTechniques": [
28 "T1021.002",
29 "T1047",
30 "T1059.003"
31],
32"relatedUser": {
33 "userName": "User1",
34 "domainName": "DIYTESTMACHINE"
35},
36"loggedOnUsers": [
37 {
38 "accountName": "administrator1",
39 "domainName": "DIYTESTMACHINE"
40 }
41],
42"comments": [],
43"evidence": [
44 {
45 "entityType": "Process",
46 "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z",
47 "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
48 "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
49 "fileName": "WmiPrvSE.exe",
50 "filePath": "C:\\Windows\\System32\\wbem",
51 "processId": 4476,
52 "processCommandLine": "wmiprvse.exe -secured -Embedding",
53 "processCreationTime": "2023-01-24T05:43:32.4631151Z",
54 "parentProcessId": 896,
55 "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
56 "parentProcessFileName": "svchost.exe",
57 "parentProcessFilePath": "C:\\Windows\\System32",
58 "ipAddress": null,
59 "url": null,
60 "registryKey": null,
61 "registryHive": null,
62 "registryValueType": null,
63 "registryValue": null,
64 "registryValueName": null,
65 "accountName": "NETWORK SERVICE",
66 "domainName": "NT AUTHORITY",
67 "userSid": "S-1-5-20",
68 "aadUserId": null,
69 "userPrincipalName": null,
70 "detectionStatus": "Detected"
71 },
72 {
73 "entityType": "User",
74 "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
75 "sha1": null,
76 "sha256": null,
77 "fileName": null,
78 "filePath": null,
79 "processId": null,
80 "processCommandLine": null,
81 "processCreationTime": null,
82 "parentProcessId": null,
83 "parentProcessCreationTime": null,
84 "parentProcessFileName": null,
85 "parentProcessFilePath": null,
86 "ipAddress": null,
87 "url": null,
88 "registryKey": null,
89 "registryHive": null,
90 "registryValueType": null,
91 "registryValue": null,
92 "registryValueName": null,
93 "accountName": "User1",
94 "domainName": "DIYTESTMACHINE",
95 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
96 "aadUserId": null,
97 "userPrincipalName": null,
98 "detectionStatus": null
99 },
100 {
101 "entityType": "Process",
102 "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
103 "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
104 "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
105 "fileName": "WmiPrvSE.exe",
106 "filePath": "C:\\Windows\\System32\\wbem",
107 "processId": 7824,
108 "processCommandLine": "wmiprvse.exe -secured -Embedding",
109 "processCreationTime": "2023-01-24T05:30:50.8649791Z",
110 "parentProcessId": 896,
111 "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
112 "parentProcessFileName": "svchost.exe",
113 "parentProcessFilePath": "C:\\Windows\\System32",
114 "ipAddress": null,
115 "url": null,
116 "registryKey": null,
117 "registryHive": null,
118 "registryValueType": null,
119 "registryValue": null,
120 "registryValueName": null,
121 "accountName": "NETWORK SERVICE",
122 "domainName": "NT AUTHORITY",
123 "userSid": "S-1-5-20",
124 "aadUserId": null,
125 "userPrincipalName": null,
126 "detectionStatus": "Detected"
127 },
128 {
129 "entityType": "Process",
130 "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z",
131 "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
132 "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
133 "fileName": "cmd.exe",
134 "filePath": "C:\\Windows\\System32",
135 "processId": 5500,
136 "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674565222.7012053 2>&1",
137 "processCreationTime": "2023-01-24T13:02:50.4661885Z",
138 "parentProcessId": 756,
139 "parentProcessCreationTime": "2023-01-24T13:00:35.0107475Z",
140 "parentProcessFileName": "WmiPrvSE.exe",
141 "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
142 "ipAddress": null,
143 "url": null,
144 "registryKey": null,
145 "registryHive": null,
146 "registryValueType": null,
147 "registryValue": null,
148 "registryValueName": null,
149 "accountName": "User1",
150 "domainName": "DIYTESTMACHINE",
151 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
152 "aadUserId": null,
153 "userPrincipalName": null,
154 "detectionStatus": "Detected"
155 },
156 {
157 "entityType": "Process",
158 "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
159 "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
160 "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
161 "fileName": "cmd.exe",
162 "filePath": "C:\\Windows\\System32",
163 "processId": 8964,
164 "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538248.357367 2>&1",
165 "processCreationTime": "2023-01-24T05:31:04.0743902Z",
166 "parentProcessId": 7824,
167 "parentProcessCreationTime": "2023-01-24T05:30:50.8649791Z",
168 "parentProcessFileName": "WmiPrvSE.exe",
169 "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
170 "ipAddress": null,
171 "url": null,
172 "registryKey": null,
173 "registryHive": null,
174 "registryValueType": null,
175 "registryValue": null,
176 "registryValueName": null,
177 "accountName": "User1",
178 "domainName": "DIYTESTMACHINE",
179 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
180 "aadUserId": null,
181 "userPrincipalName": null,
182 "detectionStatus": "Detected"
183 },
184 {
185 "entityType": "Process",
186 "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z",
187 "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
188 "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
189 "fileName": "cmd.exe",
190 "filePath": "C:\\Windows\\System32",
191 "processId": 884,
192 "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538583.8648584 2>&1",
193 "processCreationTime": "2023-01-24T05:36:38.826505Z",
194 "parentProcessId": 7736,
195 "parentProcessCreationTime": "2023-01-24T05:36:26.0524655Z",
196 "parentProcessFileName": "WmiPrvSE.exe",
197 "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
198 "ipAddress": null,
199 "url": null,
200 "registryKey": null,
201 "registryHive": null,
202 "registryValueType": null,
203 "registryValue": null,
204 "registryValueName": null,
205 "accountName": "User1",
206 "domainName": "DIYTESTMACHINE",
207 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
208 "aadUserId": null,
209 "userPrincipalName": null,
210 "detectionStatus": "Detected"
211 },
212 {
213 "entityType": "Process",
214 "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z",
215 "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
216 "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
217 "fileName": "WmiPrvSE.exe",
218 "filePath": "C:\\Windows\\System32\\wbem",
219 "processId": 756,
220 "processCommandLine": "wmiprvse.exe -secured -Embedding",
221 "processCreationTime": "2023-01-24T13:00:35.0107475Z",
222 "parentProcessId": 908,
223 "parentProcessCreationTime": "2023-01-24T08:20:44.6877667Z",
224 "parentProcessFileName": "svchost.exe",
225 "parentProcessFilePath": "C:\\Windows\\System32",
226 "ipAddress": null,
227 "url": null,
228 "registryKey": null,
229 "registryHive": null,
230 "registryValueType": null,
231 "registryValue": null,
232 "registryValueName": null,
233 "accountName": "NETWORK SERVICE",
234 "domainName": "NT AUTHORITY",
235 "userSid": "S-1-5-20",
236 "aadUserId": null,
237 "userPrincipalName": null,
238 "detectionStatus": "Detected"
239 },
240 {
241 "entityType": "Process",
242 "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z",
243 "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
244 "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
245 "fileName": "cmd.exe",
246 "filePath": "C:\\Windows\\System32",
247 "processId": 1140,
248 "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538878.1586335 2>&1",
249 "processCreationTime": "2023-01-24T05:43:49.9375398Z",
250 "parentProcessId": 4476,
251 "parentProcessCreationTime": "2023-01-24T05:43:32.4631151Z",
252 "parentProcessFileName": "WmiPrvSE.exe",
253 "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
254 "ipAddress": null,
255 "url": null,
256 "registryKey": null,
257 "registryHive": null,
258 "registryValueType": null,
259 "registryValue": null,
260 "registryValueName": null,
261 "accountName": "User1",
262 "domainName": "DIYTESTMACHINE",
263 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
264 "aadUserId": null,
265 "userPrincipalName": null,
266 "detectionStatus": "Detected"
267 },
268 {
269 "entityType": "Process",
270 "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z",
271 "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
272 "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
273 "fileName": "WmiPrvSE.exe",
274 "filePath": "C:\\Windows\\System32\\wbem",
275 "processId": 7736,
276 "processCommandLine": "wmiprvse.exe -secured -Embedding",
277 "processCreationTime": "2023-01-24T05:36:26.0524655Z",
278 "parentProcessId": 896,
279 "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
280 "parentProcessFileName": "svchost.exe",
281 "parentProcessFilePath": "C:\\Windows\\System32",
282 "ipAddress": null,
283 "url": null,
284 "registryKey": null,
285 "registryHive": null,
286 "registryValueType": null,
287 "registryValue": null,
288 "registryValueName": null,
289 "accountName": "NETWORK SERVICE",
290 "domainName": "NT AUTHORITY",
291 "userSid": "S-1-5-20",
292 "aadUserId": null,
293 "userPrincipalName": null,
294 "detectionStatus": "Detected"
295 }
296],
297"domains": []
298}
Source: GitHub | Version: 1