Microsoft 365 Defender sample event messages
Use these sample event messages to verify a successful integration with IBM QRadar.
- The Microsoft Windows Defender ATP DSM name is now the Microsoft 365 Defender® DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in QRadar.
- Due to a change in the Microsoft
Defender API suite as of 25 November 2021, Microsoft no longer allows the onboarding of new integrations
with their SIEM API. For more information, see Deprecating the legacy SIEM API
(https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api/ba-p/3139643).
The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to QRadar. For more information about the service and its configuration, see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub (https://docs.micosoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide)
Microsoft 365 Defender sample messages when you use the Microsoft Azure Event Hubs protocol
Sample 1: The following sample event message shows a successful scheduled task update.
"{"time":"2021-07-21T00:57:23.0186119Z","tenantId":"abc12345-123a-123a-456b-abcdefg12345","operationName":"Publish","category":"AdvancedHunting-DeviceEvents","properties":{"AccountSid":null,"AccountDomain":null,"AccountName":null,"LogonId":null,"FileName":null,"FolderPath":null,"MD5":null,"SHA1":null,"FileSize":null,"SHA256":null,"ProcessCreationTime":null,"ProcessTokenElevation":null,"RemoteUrl":null,"RegistryKey":null,"RegistryValueName":null,"RegistryValueData":null,"RemoteDeviceName":null,"FileOriginIP":null,"FileOriginUrl":null,"LocalIP":null,"LocalPort":null,"RemoteIP":null,"RemotePort":null,"ProcessId":null,"ProcessCommandLine":null,"AdditionalFields":"{\"TaskName\":\"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Schedule Maintenance Work\"}","ActionType":"ScheduledTaskUpdated","InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessFolderPath":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessMD5":null,"InitiatingProcessSHA256":null,"InitiatingProcessSHA1":null,"InitiatingProcessLogonId":999,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountDomain":"m365defender","InitiatingProcessAccountName":"client-pc$","InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessCreationTime":null,"InitiatingProcessId":null,"InitiatingProcessCommandLine":null,"InitiatingProcessParentCreationTime":null,"InitiatingProcessParentId":null,"InitiatingProcessParentFileName":null,"DeviceId":"111122223333444455556666777788889999aaaa","AppGuardContainerId":"","MachineGroup":null,"Timestamp":"2021-07-21T00:55:44.2280946Z","DeviceName":"client-pc.example.net","ReportId":60533}}" );
QRadar field name | Highlighted payload field name |
---|---|
Event Category | category |
Event ID | ActionType |
Device Time | Timestamp |
Sample 2: The following sample event message shows an alert to possible keylogging activity.
{"time":"2021-09-09T00:40:17.7066896Z","tenantId":"abc12345-123a-123a-456b-abcdefg12345","operationName":"Publish","category":"AdvancedHunting-AlertInfo","properties":{"AlertId":"da637667448174310467_1631502683","Timestamp":"2021-09-09T00:39:17.1650944Z","Title":"Possible keylogging activity","ServiceSource":"Microsoft Defender for Endpoint","Category":"Collection","Severity":"High","DetectionSource":"EDR","MachineGroup":null,"AttackTechniques":"[\"Input Capture (T1056)\"]"}}
QRadar field name | Highlighted payload field name |
---|---|
Event Category | category |
Event ID | Title |
Device Time | Timestamp |
Microsoft 365 Defender sample messages when you use the Microsoft Defender for Endpoint SIEM REST API protocol
Sample 1: The following sample event message shows suspicious activity.
{"AlertTime":"2017-12-27T03:54:41.1914393Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"<AlertTitle>","Category":"CommandAndControl","Severity":"<Severity>","AlertId":"<AlertId>","Actor":"<Actor>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","CreatorIocName":"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<FileName>","FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<IoaDefinitionId>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessedTimeUtc":"2017-12-27T07:16:34.1412283Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<ThreatFamily>","ThreatName":"<ThreatName>","RemediationAction":"<RemediationAction>","RemediationIsSuccess":"<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain>","LogOnUsers":"<LogOnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv4List":"192.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHash":"<FileHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}
QRadar field name | Highlighted payload field name |
---|---|
Device Time | AlertTime |
Event ID | Category |
Source IP | IpAddress |
Source IP v6 | InternalIPv6List |
Username | UserName |
Sample 2: The following sample event message shows that a backdoor access is detected.
{"AlertTime":"2017-11-22T18:01:32.1887775Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"<AlertTitle>","Category":"Backdoor","Severity":"<Severity>","AlertId":"<AlertId","Actor":"<Actor>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","CreatorIocName":"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<FileName>","FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<IoaDefinitionId>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessedTimeUtc":"2017-11-22T18:01:49.8739015Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<ThreatFamily>","ThreatName":"<ThreatName>","RemediationAction":"<RemediationAction>","RemediationIsSuccess":"<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain>","LogOnUsers":"<LogOnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv4List":"192.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHash":"<FileHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}
QRadar field name | Highlighted payload field name |
---|---|
Device Time | AlertTime |
Event ID | Category |
Source IP | IpAddress |
Source IP v6 | InternalIPv6List |
Username | UserName |
Microsoft 365 Defender sample messages when you use the Microsoft Graph Security API protocol
The following sample event message shows that a lateral movement on another device was observed in close time proximity to a suspicious network event on this device. This could mean that an attacker is attempting to move laterally across devices to gather data or elevate privileges. This alert was triggered based on a Microsoft Defender for Endpoint alert.
{"id":"da637789431774501659_-1621338217","providerAlertId":"da637789431774501659_-1621338217","incidentId":"5","status":"resolved","severity":"medium","classification":null,"determination":null,"serviceSource":"microsoftDefenderForEndpoint","detectionSource":"microsoft365Defender","detectorId":"ab3e5834-3d38-42c5-aaa6-c1cfc6c02882","tenantId":"24d3dca4-61f8-4b86-8e22-612b71d65386","title":"Possible lateral movement","description":"Lateral movement on another device was observed in close time proximity to a suspicious network event on this device. This could mean that an attacker is attempting to move laterally across devices to gather data or elevate privileges. This alert was triggered based on a Microsoft Defender for Endpoint alert.","recommendedActions":"A. Validate the alert.\r\n1. Investigate the process, its behaviors, and the endpoint involved in the original alert for suspicious activity.\r\n2. Check for other suspicious activities in the device timeline.\r\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\r\n4. Submit relevant files for deep analysis and review file behaviors.\r\n5. Identify unusual system activity with system owners.\r\n\r\nB. Scope the incident. Find related device, network addresses, and files in the incident graph.\r\n\r\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\r\n\r\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.","category":"LateralMovement","assignedTo":"testUser@testUser@example.test","alertWebUrl":"https://security.microsoft.com/alerts/da637789431774501659_-1621338217?tid=24d3dca4-61f8-4b86-8e22-612b71d65386","incidentWebUrl":"https://security.microsoft.com/incidents/5?tid=24d3dca4-61f8-4b86-8e22-612b71d65386","actorDisplayName":null,"threatDisplayName":null,"threatFamilyName":null,"mitreTechniques":["T1570","T1021.002","T1021.003","T1021.004","T1021.006"],"createdDateTime":"2022-01-28T05:06:17.4503018Z","lastUpdateDateTime":"2022-01-28T07:11:29.6933333Z","resolvedDateTime":"2022-01-28T05:21:32.5866667Z","firstActivityDateTime":"2022-01-28T04:53:35.0699463Z","lastActivityDateTime":"2022-01-28T04:53:35.0699463Z","comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.deviceEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"impacted","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"firstSeenDateTime":"2022-01-28T01:15:01.628Z","mdeDeviceId":"12345testmdeDeviceid","azureAdDeviceId":null,"deviceDnsName":"testHost.test","osPlatform":"Windows10","osBuild":17763,"version":"1809","healthStatus":"active","riskScore":"high","rbacGroupId":0,"rbacGroupName":null,"onboardingStatus":"onboarded","defenderAvStatus":"updated","loggedOnUsers":[{"accountName":"testUser","domainName":"MPRTDEV"}]},{"@odata.type":"#microsoft.graph.security.processEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"related","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"processId":4,"parentProcessId":0,"processCommandLine":"","processCreationDateTime":"2022-01-28T01:01:49.3539999Z","parentProcessCreationDateTime":null,"detectionStatus":null,"mdeDeviceId":null,"parentProcessImageFile":null,"imageFile":{"sha1":"3791cf139c5f9e5c97e9c091f73e441b6a9bbd30","sha256":"e2f1857de3560a5237ca7ea661fc3688715bbbf6baa483511d49baac4ce1acf9","fileName":"System","filePath":"c:\\windows\\system32\\ntoskrnl.exe","fileSize":null,"filePublisher":null,"signer":null,"issuer":null},"userAccount":{"accountName":"system","domainName":null,"userSid":"S-1-1-1","azureAdUserId":null,"userPrincipalName":null}},{"@odata.type":"#microsoft.graph.security.ipEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"related","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"ipAddress":"10.0.0.5"},{"@odata.type":"#microsoft.graph.security.urlEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"related","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"url":"mprtdev-win10b"},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"impacted","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"userAccount":{"accountName":null,"domainName":null,"userSid":null,"azureAdUserId":null,"userPrincipalName":null}}]}
QRadar field name | Highlighted payload field name |
---|---|
Device Time | createdDateTime |
Event ID | Category |
Event Category | detectionSource |
Source IP | ipAddress |
Username | assignedTo |