Data Source: Windows Defender Alerts

Description

Data source object for Windows Defender alerts

Details

Property Value
Source eventhub://windowsdefenderlogs
Sourcetype mscs:azure:eventhub:defender:advancedhunting
Separator AlertId

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">AlertId</span>
  
  <span class="pill kill-chain">TenantId</span>
  
  <span class="pill kill-chain">OperationName</span>
  
  <span class="pill kill-chain">Category</span>
  
  <span class="pill kill-chain">Timestamp</span>
  
  <span class="pill kill-chain">EntityType</span>
  
  <span class="pill kill-chain">EvidenceRole</span>
  
  <span class="pill kill-chain">SHA1</span>
  
  <span class="pill kill-chain">SHA256</span>
  
  <span class="pill kill-chain">RemoteIP</span>
  
  <span class="pill kill-chain">LocalIP</span>
  
  <span class="pill kill-chain">RemoteUrl</span>
  
  <span class="pill kill-chain">AccountName</span>
  
  <span class="pill kill-chain">AccountDomain</span>
  
  <span class="pill kill-chain">AccountSid</span>
  
  <span class="pill kill-chain">AccountObjectId</span>
  
  <span class="pill kill-chain">DeviceId</span>
  
  <span class="pill kill-chain">ThreatFamily</span>
  
  <span class="pill kill-chain">EvidenceDirection</span>
  
  <span class="pill kill-chain">AdditionalFields</span>
  
  <span class="pill kill-chain">MachineGroup</span>
  
  <span class="pill kill-chain">NetworkMessageId</span>
  
  <span class="pill kill-chain">ServiceSource</span>
  
  <span class="pill kill-chain">FileName</span>
  
  <span class="pill kill-chain">FolderPath</span>
  
  <span class="pill kill-chain">ProcessCommandLine</span>
  
  <span class="pill kill-chain">EmailSubject</span>
  
  <span class="pill kill-chain">ApplicationId</span>
  
  <span class="pill kill-chain">Application</span>
  
  <span class="pill kill-chain">DeviceName</span>
  
  <span class="pill kill-chain">FileSize</span>
  
  <span class="pill kill-chain">RegistryKey</span>
  
  <span class="pill kill-chain">RegistryValueName</span>
  
  <span class="pill kill-chain">RegistryValueData</span>
  
  <span class="pill kill-chain">AccountUpn</span>
  
  <span class="pill kill-chain">OAuthApplicationId</span>
  
  <span class="pill kill-chain">Categories</span>
  
  <span class="pill kill-chain">Title</span>
  
  <span class="pill kill-chain">AttackTechniques</span>
  
  <span class="pill kill-chain">DetectionSource</span>
  
  <span class="pill kill-chain">Severity</span>
  
</div>

Example Log

1{"time": "2024-06-14T20:12:23.3360383Z", "tenantId": "abced-c7ee-abce-1123-123", "operationName": "Publish", "category": "AdvancedHunting-AlertEvidence", "properties": {"Timestamp": "2024-04-14T19:59:59.1549925Z", "AlertId": "dc25", "EntityType": "CloudResource", "EvidenceRole": "Impacted", "SHA1": null, "SHA256": null, "RemoteIP": null, "LocalIP": null, "RemoteUrl": null, "AccountName": null, "AccountDomain": null, "AccountSid": null, "AccountObjectId": null, "DeviceId": null, "ThreatFamily": null, "EvidenceDirection": null, "AdditionalFields": "{\"ResourceId\":\"/subscriptions/1-2-3-4/resourceGroups/pluginframework/ providers/Microsoft.Compute/virtualMachines/phantom-identity\",\"ResourceType\":\"Virtual Machine\",\"ResourceName\":\"phantom-identity\",\"Asset\":true,\" Type\":\"azure-resource\",\"Role\":0,\"MergeByKey\":\"abcd=\",\"MergeByKeyHex\":\"1234\"}", "MachineGroup": null, "NetworkMessageId": null, "ServiceSource": "Microsoft Defender for Cloud", "FileName": null, "FolderPath": null, "ProcessCommandLine": null, "EmailSubject": null, "ApplicationId": null, "Application": null, "DeviceName": null, "FileSize": null, "RegistryKey": null, "RegistryValueName": null, "RegistryValueData": null, "AccountUpn": null, "OAuthApplicationId": null, "Categories": "[\"InitialAccess\"]", "Title": "Suspicious authentication activity", "AttackTechniques": "", "DetectionSource": "DefenderForServers", "Severity": "High"}, "Tenant": "DefaultTenant"}

Source: GitHub | Version: 1