Microsoft 365 Defender
Use the IBM® QRadar® Custom Properties for Microsoft 365 Defender Content Extension to closely monitor your Microsoft 365 Defender deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension
- IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.2.0
- IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.1
- IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.0
- IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.2
- IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1
- IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.0
IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.2.0
The following table shows the new custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.2.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Account Name | Yes | N/A | /"evidence"[1]/"userAccount"/"accountName" |
| Account Security Id | No | N/A | /"evidence"[1]/"userAccount"/"userSid" |
| Alert | No | N/A | /"title" |
| Alert Category | No | N/A | /"category" |
| Alert Description | No | N/A | /"description" |
| Alert Severity | No | N/A | /"severity" |
| Dectection Engine | No | N/A | /"detectionSource" |
| Domain | No | N/A | /"evidence"[1]/"userAccount"/"domainName" |
| File Directory | Yes | N/A | /"evidence"[2]/"fileDetails"/"filePath" |
| File Extension | Yes | 1 | fileDetails":.*?fileName":"[^\"\.]*\.([^\"]*?)", |
| File Size | No | N/A | /"evidence"[2]/"fileDetails"/"fileSize" |
| Filename | Yes | N/A | /"evidence"[2]/"fileDetails"/"fileName" |
| Machine ID | Yes | N/A | /"evidence"[0]/"deviceDnsName" |
| Mitre Attack ID | No | N/A | /"mitreTechniques"[] |
| OS Name | No | N/A | /"evidence"[0]/"osPlatform" |
| Parent Process ID | No | N/A | /"evidence"[1]/"parentProcessId" |
| Parent Process Name | No | N/A | /"evidence"[1]/"parentProcessImageFile"/"fileName" |
| Parent Process Path | No | N/A | /"evidence"[1]/"parentProcessImageFile"/"filePath" |
| Process CommandLine | Yes | N/A | /"evidence"[1]/"processCommandLine" |
| Process File Size | No | N/A | /"evidence"[1]/"imageFile"/"fileSize" |
| Process ID | Yes | N/A | /"evidence"[1]/"processId" |
| Process Name | Yes | N/A | /"evidence"[1]/"imageFile"/"fileName" |
| Process Path | Yes | N/A | /"evidence"[1]/"imageFile"/"filePath" |
| Process SHA1 Hash | No | N/A | /"evidence"[1]/"imageFile"/"sha1" |
| Process SHA256 Hash | No | N/A | /"evidence"[1]/"imageFile"/"sha256" |
| Reference Link | No | N/A | /"alertWebUrl" |
| SHA1 Hash | Yes | N/A | /"evidence"[2]/"fileDetails"/"sha1" |
| SHA256 Hash | Yes | N/A | /"evidence"[2]/"fileDetails"/"sha256" |
| Target Parent Process ID | No | N/A | /"evidence"[2]/"parentProcessId" |
| Target Parent Process Name | No | N/A | /"evidence"[2]/"parentProcessImageFile"/"fileName" |
| Target Parent Process Path | No | N/A | /"evidence"[2]/"parentProcessImageFile"/"filePath" |
| Target Process Command | No | N/A | /"evidence"[2]/"processCommandLine" |
| Target Process ID | No | N/A | /"evidence"[2]/"processId" |
| Target Process Name | No | N/A | /"evidence"[2]/"imageFile"/"fileName" |
| Target Process Path | No | N/A | /"evidence"[2]/"imageFile"/"filePath" |
| Target Process SHA1 Hash | No | N/A | /"evidence"[2]/"imageFile"/"sha1" |
| Target Process SHA256 Hash | No | N/A | /"evidence"[2]/"imageFile"/"sha256" |
| Threat Family | No | N/A | /"threatFamilyName" |
| Threat Name | Yes | N/A | /"threatDisplayName" |
| Threat Remediation | No | N/A | /"recommendedActions" |
| Threat Severity | No | N/A | /"evidence"[0]/"riskScore" |
| URL | Yes | N/A | /"evidence"[3]/"url" |
| Url Host | Yes | 1 | url":"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)" |
IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.1
The following table shows the new and updated custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.1.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Alert ID | No | 1 | AlertId":"(.*?)", |
| Process Id | Yes | 1 | \bInitiatingProcessId[":]+(\d+) |
IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.0
The following table shows the new and updated custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Account Name | Yes | 1 | \bAccountName[":]+"([^"]*)" |
| Account Security ID | No | 1 | \bAccountSid[":]+"([^"]*)" |
| Action | Yes | 1 | \bActionType[":]+"([^"]*)" RemediationAction":"(.*?)", |
| Action Result | No | 1 | RemediationIsSuccess":(.*?), |
| Domain | No | 1 | \bDeviceName[":]+"([^"]*)" |
| Execution Status | No | 1 | WasExecutingWhileDetected":(.*?), |
| File Directory | Yes | 1 | \bFolderPath[":]+"([^"]*)" |
| File Size | No | 1 | \bFileSize[":]+(\d+) |
| Filename | Yes | 1 | \bFileName[":]+"([^"]*)" |
| Logon ID | Yes | 1 | \bLogonId[":]+(\d+) |
| MD5 Hash | Yes | 1 | \bMD5[":]+"([^"]*)" |
| Parent Process ID | No | 1 | \bInitiatingProcessParentId[":]+(\d+) |
| Parent Process Name | Yes | 1 | \bInitiatingProcessParentFileName[":]+"([^"]*)" |
| Process Account Domain | No | 1 | \bInitiatingProcessAccountDomain[":]+"([^"]*)" |
| Process Account Name | No | 1 | \bInitiatingProcessAccountName[":]+"([^"]*)" |
| Process Account Security ID | No | 1 | \bInitiatingProcessAccountSid[":]+"([^"]*)" |
| Process CommandLine | Yes | 1 | \bInitiatingProcessCommandLine[":]+(.*?)","InitiatingProcessParentCreationTime |
| Process File Size | No | 1 | \bInitiatingProcessFileSize[":]+(\d+) |
| ProcessID | No | 1 | \bInitiatingProcessId[":]+(\d+) |
| Process Logon ID | No | 1 | \bInitiatingProcessLogonId[":]+(\d+) |
| Procecss MD5 Hash | No | 1 | \bInitiatingProcessMD5[":]+"([^"]*)" |
| Process Name | Yes | 1 | \bInitiatingProcessFileName[":]+"([^"]*)" |
| Process Path | Yes | 1 | \bInitiatingProcessFolderPath[":]+"([^"]*)" |
| Process SHA1 Hash | No | 1 | \bInitiatingProcessSHA1[":]+"([^"]*)" |
| Process SHA256 | No | 1 | \bInitiatingProcessSHA256[":]+"([^"]*)" |
| Registry Key | Yes | 1 | \bRegistryKey[":]+"([^"]*)" |
| SHA1 | Yes | 1 | \bSHA1[":]+"([^"]*)" |
| SHA256 | Yes | 1 | \bSHA256[":]+"([^"]*)" |
| Threat Category | No | 1 | ThreatCategory":"(.*?)", |
| Threat Family | No | 1 | ThreatFamily":"(.*?)", |
| Threat Name | Yes | 1 | ThreatName":"(.*?)", |
| Threat Severity | No | 1 | Severity":"(.*?)" |
IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.2
The following table shows the updated custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.2.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| MD5 Hash | Yes | 1 | Md5":"(.*?)", |
| SHA1 Hash | Yes | 1 | Sha1":"(.*?)", |
IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1
The following table shows the new custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1.
| Name | Optimized | Enabled | Regex |
|---|---|---|---|
| File Directory | 1 | 1 | FilePath":"(.*?)", |
The following table shows the changed custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1.
| Name | Optimized |
|---|---|
| Filename | 1 |
| File Extension | 1 |
| Urlhost | 1 |
The following table shows the removed custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1.
| Name | Replaced With |
|---|---|
| File Path | File Directory |
IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.0.
| Name | Capture Group | Regex |
|---|---|---|
| Filename | 1 | FileName":"(.*?)", |
| File Path | 1 | FilePath":"(.*?)", |
| File Hash | 1 | FileHash":"(.*?)", |
| MD5 Hash | 1 | Md5":"(.*?)", |
| SHA1 Hash | 1 | Sha1":"(.*?)", |
| SHA256 Hash | 1 | Sha256":"(.*?)", |
| Computer Name | 1 | MachineName":"(.*?)" |
| Threat Name | 1 | ThreatName":"(.*?)", |
| Threat Severity | 1 | Severity":"(.*?)" |
| Threat Category | 1 | ThreatCategory":"(.*?)", |
| Threat Family | 1 | ThreatFamily":"(.*?)", |
| Action | 1 | RemediationAction":"(.*?)", |
| Action Result | 1 | RemediationIsSuccess":(.*?), |
| URL | 1 | Url\"\:\"(.*?)\", |
| URLHost | 1 | Url\"\:\"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+) |
| IOC Name | 1 | IocName":"(.*?)", |
| IOC Value | 1 | IocValue":"(.*?)", |
| Execution Status | 1 | WasExecutingWhileDetected":(.*?), |
| Alert | 1 | AlertTitle":"(.*?)", |
| Alert_Category | 1 | Category":"(.*?)", |
| Alert_Severity | 1 | Severity":"(.*?)", |
| Reference Link | 1 | LinkToWDATP":"(.*?)", |
| Detection Engine | 1 | Source":"(.*?)", |
| File Extension | 1 | FileName":"[^\"\.]*\.([^\"]*?)" |