Microsoft 365 Defender

Use the IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension to closely monitor your Microsoft 365 Defender deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension

IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.2.1

The following table shows the IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.2.1.

Table 1. New Custom Properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.2.1
Name Optimized Capture Group Regex
Account Name Yes N/A AccountName":"(.*?)",
Action Type No 1 ActionType":"(.*?)",
Command Yes N/A CommandLine":"\\"(.*?),
File Directory Yes N/A FolderPath":"(.*?)",
File Size No N/A FileSize":(.*?),
Filename Yes N/A ProcessFileName":"(.*?)",
Machine Identifier Yes N/A DeviceId":"(.*?)",
MD5 Hash Yes N/A MD5[":]+"([^"]*)"
Parent Process ID No N/A ParentId":(.*?),
Parent Process Name No N/A ParentFileName":"(.*?)",
Process ID Yes N/A ProcessId":(.*?),
Protocol Yes N/A Protocol":"(.*?)",
ReferrerURL No 1 ReferrerUrl":(.*?),
SHA1 Hash Yes N/A SHA1[":]+"([^"]*)"
Signature Status No 1 SignatureStatus":"(.*?)",
Signer Type No 1 SignerType":"(.*?)",

IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.2.0

The following table shows the new custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.2.0.

Table 2. New Custom Properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.2.0
Name Optimized Capture Group Regex
Account Name Yes N/A /"evidence"[1]/"userAccount"/"accountName"
Account Security Id No N/A /"evidence"[1]/"userAccount"/"userSid"
Alert No N/A /"title"
Alert Category No N/A /"category"
Alert Description No N/A /"description"
Alert Severity No N/A /"severity"
Dectection Engine No N/A /"detectionSource"
Domain No N/A /"evidence"[1]/"userAccount"/"domainName"
File Directory Yes N/A /"evidence"[2]/"fileDetails"/"filePath"
File Extension Yes 1 fileDetails":.*?fileName":"[^\"\.]*\.([^\"]*?)",
File Size No N/A /"evidence"[2]/"fileDetails"/"fileSize"
Filename Yes N/A /"evidence"[2]/"fileDetails"/"fileName"
Machine ID Yes N/A /"evidence"[0]/"deviceDnsName"
Mitre Attack ID No N/A /"mitreTechniques"[]
OS Name No N/A /"evidence"[0]/"osPlatform"
Parent Process ID No N/A /"evidence"[1]/"parentProcessId"
Parent Process Name No N/A /"evidence"[1]/"parentProcessImageFile"/"fileName"
Parent Process Path No N/A /"evidence"[1]/"parentProcessImageFile"/"filePath"
Process CommandLine Yes N/A /"evidence"[1]/"processCommandLine"
Process File Size No N/A /"evidence"[1]/"imageFile"/"fileSize"
Process ID Yes N/A /"evidence"[1]/"processId"
Process Name Yes N/A /"evidence"[1]/"imageFile"/"fileName"
Process Path Yes N/A /"evidence"[1]/"imageFile"/"filePath"
Process SHA1 Hash No N/A /"evidence"[1]/"imageFile"/"sha1"
Process SHA256 Hash No N/A /"evidence"[1]/"imageFile"/"sha256"
Reference Link No N/A /"alertWebUrl"
SHA1 Hash Yes N/A /"evidence"[2]/"fileDetails"/"sha1"
SHA256 Hash Yes N/A /"evidence"[2]/"fileDetails"/"sha256"
Target Parent Process ID No N/A /"evidence"[2]/"parentProcessId"
Target Parent Process Name No N/A /"evidence"[2]/"parentProcessImageFile"/"fileName"
Target Parent Process Path No N/A /"evidence"[2]/"parentProcessImageFile"/"filePath"
Target Process Command No N/A /"evidence"[2]/"processCommandLine"
Target Process ID No N/A /"evidence"[2]/"processId"
Target Process Name No N/A /"evidence"[2]/"imageFile"/"fileName"
Target Process Path No N/A /"evidence"[2]/"imageFile"/"filePath"
Target Process SHA1 Hash No N/A /"evidence"[2]/"imageFile"/"sha1"
Target Process SHA256 Hash No N/A /"evidence"[2]/"imageFile"/"sha256"
Threat Family No N/A /"threatFamilyName"
Threat Name Yes N/A /"threatDisplayName"
Threat Remediation No N/A /"recommendedActions"
Threat Severity No N/A /"evidence"[0]/"riskScore"
URL Yes N/A /"evidence"[3]/"url"
Url Host Yes 1 url":"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)"

IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.1

The following table shows the new and updated custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.1.

Table 3. New Custom Properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.1
Name Optimized Capture Group Regex
Alert ID No 1 AlertId":"(.*?)",
Process Id Yes 1 \bInitiatingProcessId[":]+(\d+)

IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.0

The following table shows the new and updated custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.0.

Table 4. New Custom Properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.1.0
Name Optimized Capture Group Regex
Account Name Yes 1 \bAccountName[":]+"([^"]*)"
Account Security ID No 1 \bAccountSid[":]+"([^"]*)"
Action Yes 1 \bActionType[":]+"([^"]*)"

RemediationAction":"(.*?)",
Action Result No 1 RemediationIsSuccess":(.*?),
Domain No 1 \bDeviceName[":]+"([^"]*)"
Execution Status No 1 WasExecutingWhileDetected":(.*?),
File Directory Yes 1 \bFolderPath[":]+"([^"]*)"
File Size No 1 \bFileSize[":]+(\d+)
Filename Yes 1 \bFileName[":]+"([^"]*)"
Logon ID Yes 1 \bLogonId[":]+(\d+)
MD5 Hash Yes 1 \bMD5[":]+"([^"]*)"
Parent Process ID No 1 \bInitiatingProcessParentId[":]+(\d+)
Parent Process Name Yes 1 \bInitiatingProcessParentFileName[":]+"([^"]*)"
Process Account Domain No 1 \bInitiatingProcessAccountDomain[":]+"([^"]*)"
Process Account Name No 1 \bInitiatingProcessAccountName[":]+"([^"]*)"
Process Account Security ID No 1 \bInitiatingProcessAccountSid[":]+"([^"]*)"
Process CommandLine Yes 1 \bInitiatingProcessCommandLine[":]+(.*?)","InitiatingProcessParentCreationTime
Process File Size No 1 \bInitiatingProcessFileSize[":]+(\d+)
ProcessID No 1 \bInitiatingProcessId[":]+(\d+)
Process Logon ID No 1 \bInitiatingProcessLogonId[":]+(\d+)
Procecss MD5 Hash No 1 \bInitiatingProcessMD5[":]+"([^"]*)"
Process Name Yes 1 \bInitiatingProcessFileName[":]+"([^"]*)"
Process Path Yes 1 \bInitiatingProcessFolderPath[":]+"([^"]*)"
Process SHA1 Hash No 1 \bInitiatingProcessSHA1[":]+"([^"]*)"
Process SHA256 No 1 \bInitiatingProcessSHA256[":]+"([^"]*)"
Registry Key Yes 1 \bRegistryKey[":]+"([^"]*)"
SHA1 Yes 1 \bSHA1[":]+"([^"]*)"
SHA256 Yes 1 \bSHA256[":]+"([^"]*)"
Threat Category No 1 ThreatCategory":"(.*?)",
Threat Family No 1 ThreatFamily":"(.*?)",
Threat Name Yes 1 ThreatName":"(.*?)",
Threat Severity No 1 Severity":"(.*?)"

(Back to top)

IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.2

The following table shows the updated custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.2.

Table 5. New Custom Properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.2
Name Optimized Capture Group Regex
MD5 Hash Yes 1 Md5":"(.*?)",
SHA1 Hash Yes 1 Sha1":"(.*?)",

(Back to top)

IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1

The following table shows the new custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1.

Table 6. New Custom Properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1
Name Optimized Enabled Regex
File Directory 1 1 FilePath":"(.*?)",

The following table shows the changed custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1.

Table 7. Changed Custom Properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1
Name Optimized
Filename 1
File Extension 1
Urlhost 1

The following table shows the removed custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1.

Table 8. Removed Custom Properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.1
Name Replaced With
File Path File Directory

(Back to top)

IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.0.

Table 9. Custom Properties in IBM Security QRadar Custom Properties for Microsoft 365 Defender Content Extension 1.0.0
Name Capture Group Regex
Filename 1 FileName":"(.*?)",
File Path 1 FilePath":"(.*?)",
File Hash 1 FileHash":"(.*?)",
MD5 Hash 1 Md5":"(.*?)",
SHA1 Hash 1 Sha1":"(.*?)",
SHA256 Hash 1 Sha256":"(.*?)",
Computer Name 1 MachineName":"(.*?)"
Threat Name 1 ThreatName":"(.*?)",
Threat Severity 1 Severity":"(.*?)"
Threat Category 1 ThreatCategory":"(.*?)",
Threat Family 1 ThreatFamily":"(.*?)",
Action 1 RemediationAction":"(.*?)",
Action Result 1 RemediationIsSuccess":(.*?),
URL 1 Url\"\:\"(.*?)\",
URLHost 1 Url\"\:\"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)
IOC Name 1 IocName":"(.*?)",
IOC Value 1 IocValue":"(.*?)",
Execution Status 1 WasExecutingWhileDetected":(.*?),
Alert 1 AlertTitle":"(.*?)",
Alert_Category 1 Category":"(.*?)",
Alert_Severity 1 Severity":"(.*?)",
Reference Link 1 LinkToWDATP":"(.*?)",
Detection Engine 1 Source":"(.*?)",
File Extension 1 FileName":"[^\"\.]*\.([^\"]*?)"

(Back to top)