Microsoft Defender for Cloud sample event message
Use this sample event message to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Microsoft Defender for Cloud sample message when you use the Microsoft Graph Security API protocol
The following sample shows that a user attempted to access resources by using a suspicious IP address.
{ "id": "1111d111-fa11-111a-11b1-c1e11c111a11", "azureTenantId": "00000001-0001-0001-0001-000000000001", "azureSubscriptionId": "", "riskScore": null, "tags": [], "activityGroupName": null, "assignedTo": "", "category": "Malicious_IP", "closedDateTime": null, "comments": [], "confidence": 0, "createdDateTime": "2020-01-11T14:36:57.2738949Z", "description": "Network traffic analysis indicates that your devices communicated with what might be a Command and Control center for a malware of type Dridex. Dridex is a banking trojan family that steals credentials of online banking websites. Dridex is typically distributed via phishing emails with Microsoft Word and Excel document attachments. These Office documents contain malicious macro code that downloads and installs Dridex on the affected system.", "detectionIds": [], "eventDateTime": "2020-01-09T11:02:01Z", "feedback": null, "lastModifiedDateTime": "2020-01-11T14:37:05.1157187Z", "recommendedActions": [ "1. Escalate the alert to your security administrator.", "2. Add the source IP address to your local FW block list for 24 hours. For more information, see Plan virtual networks (https://sub.domain.test/en-us/documentation/articles/virtual-networks-nsg/).", "3. Make sure your devices are completely updated and have updated antimalware installed.", "4. Run a full anti-virus scan and verify that the threat was removed.", "5. Install and run Microsoft’s Malicious Software Removal Tool (https://www.domain.test/en-us/security/pc-security/malware-removal.aspx).", "6. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run when you sign in. For more information, see Autoruns for Windows (https://technet.domain.test/en-us/sysinternals/bb963902.aspx).", "7. Run Process Explorer and try to identify any unknown processes that are running. For more information, see Process Explorer (https://technet.domain.test/en-us/sysinternals/bb896653.aspx)." ], "severity": "high", "sourceMaterials": [], "status": "newAlert", "title": "Network communication with a malicious IP", "vendorInformation": { "provider": "Azure Security Center", "providerVersion": "3.0", "subProvider": null, "vendor": "Microsoft" }, "cloudAppStates": [], "fileStates": [], "hostStates": [ { "fqdn": "abc-TestName.AAA111.ondomain.test", "isAzureAdJoined": null, "isAzureAdRegistered": null, "isHybridAzureDomainJoined": false, "netBiosName": "abc-TestName", "os": "", "privateIpAddress": null, "publicIpAddress": "172.16.37.125", "riskScore": "0" } ], "historyStates": [], "malwareStates": [ { "category": "Trojan", "family": "Dridex", "name": "", "severity": "", "wasRunning": true } ], "networkConnections": [], "processes": [], "registryKeyStates": [], "triggers": [], "userStates": [ { "aadUserId": "", "accountName": "TestName", "domainName": "AAA111.ondomain.test", "emailRole": "unknown", "isVpn": null, "logonDateTime": null, "logonId": "0", "logonIp": null, "logonLocation": null, "logonType": null, "onPremisesSecurityIdentifier": "", "riskScore": "0", "userAccountType": null, "userPrincipalName": "TestName@AAA111.ondomain.test" } ], "vulnerabilityStates": []}| QRadar field name | Highlighted payload field name |
|---|---|
| Event Category | category |
| Log Source Time | eventDateTime |
| Username | accountName |
| Source IP | publicIpAddress |
Microsoft Defender for Cloud sample message when you use the Microsoft Azure Event Hubs protocol
The following sample shows that a user attempted to manipulate WordPress theme by code injection.
{ "id": "/subscriptions/f57e6412-aaaa-1234-bbbb-11653c15d2b8/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/72cd4617-1234-1234-1234-ed28e3ed4124", "name": "72cd4617-1234-1234-1234-ed28e3ed4124", "type": "Microsoft.Security/Locations/alerts", "properties": { "status": "Active", "timeGeneratedUtc": "2022-12-13T09:39:40.4643132Z", "processingEndTimeUtc": "2022-12-13T09:39:39.9451937Z", "version": "2022-01-01.0", "vendorName": "Microsoft", "productName": "Microsoft Defender for Cloud", "alertType": "SIMULATED_APPS_WpThemeInjection", "startTimeUtc": "2022-12-13T09:39:37.9451937Z", "endTimeUtc": "2022-12-13T09:39:37.9451937Z", "severity": "High", "isIncident": false, "systemtestId": "72cd4617-1234-1234-1234-ed28e3ed4124", "intent": "Unknown", "resourceIdentifiers": [ { "$id": "centralus_1", "azureResourceId": "/SUBSCRIPTIONS/f57e6412-aaaa-1234-bbbb-11653c15d2b8/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App", "type": "AzureResource", "azureResourceTenantId": "7106186f-1234-1234-1234-9d6431c4a909" } ], "compromisedEntity": "Sample-App", "alertDisplayName": "[SAMPLE ALERT] Suspicious WordPress theme invocation detected", "description": "THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\r\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\r\nThis type of activity was seen in the past as part of an attack campaign over WordPress.", "remediationSteps": [ "1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.", "2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://example.com) for it." ], "entities": [ { "$id": "centralus_2", "hostName": "Sample-App", "azureID": "/SUBSCRIPTIONS/f57e6412-aaaa-1234-bbbb-11653c15d2b8/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App", "type": "host" } ], "alertUri": "https://example.com" } }| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | alertType |
| Log Source Time | StartTimeUtc |