Microsoft Defender for Cloud sample event message

Use this sample event message to verify a successful integration with IBM® QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Microsoft Defender for Cloud sample message when you use the Microsoft Graph Security API protocol

The following sample shows that a user attempted to access resources by using a suspicious IP address.

{ "id": "1111d111-fa11-111a-11b1-c1e11c111a11", "azureTenantId": "00000001-0001-0001-0001-000000000001", "azureSubscriptionId": "", "riskScore": null, "tags": [], "activityGroupName": null, "assignedTo": "", "category": "Malicious_IP", "closedDateTime": null, "comments": [], "confidence": 0, "createdDateTime": "2020-01-11T14:36:57.2738949Z", "description": "Network traffic analysis indicates that your devices communicated with what might be a Command and Control center for a malware of type Dridex. Dridex is a banking trojan family that steals credentials of online banking websites. Dridex is typically distributed via phishing emails with Microsoft Word and Excel document attachments. These Office documents contain malicious macro code that downloads and installs Dridex on the affected system.", "detectionIds": [], "eventDateTime": "2020-01-09T11:02:01Z", "feedback": null, "lastModifiedDateTime": "2020-01-11T14:37:05.1157187Z", "recommendedActions": [ "1. Escalate the alert to your security administrator.", "2. Add the source IP address to your local FW block list for 24 hours. For more information, see Plan virtual networks (https://sub.domain.test/en-us/documentation/articles/virtual-networks-nsg/).", "3. Make sure your devices are completely updated and have updated antimalware installed.", "4. Run a full anti-virus scan and verify that the threat was removed.", "5. Install and run Microsoft’s Malicious Software Removal Tool (https://www.domain.test/en-us/security/pc-security/malware-removal.aspx).", "6. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run when you sign in. For more information, see Autoruns for Windows (https://technet.domain.test/en-us/sysinternals/bb963902.aspx).", "7. Run Process Explorer and try to identify any unknown processes that are running. For more information, see Process Explorer (https://technet.domain.test/en-us/sysinternals/bb896653.aspx)." ], "severity": "high", "sourceMaterials": [], "status": "newAlert", "title": "Network communication with a malicious IP", "vendorInformation": { "provider": "Azure Security Center", "providerVersion": "3.0", "subProvider": null, "vendor": "Microsoft" }, "cloudAppStates": [], "fileStates": [], "hostStates": [ { "fqdn": "abc-TestName.AAA111.ondomain.test", "isAzureAdJoined": null, "isAzureAdRegistered": null, "isHybridAzureDomainJoined": false, "netBiosName": "abc-TestName", "os": "", "privateIpAddress": null, "publicIpAddress": "172.16.37.125", "riskScore": "0" } ], "historyStates": [], "malwareStates": [ { "category": "Trojan", "family": "Dridex", "name": "", "severity": "", "wasRunning": true } ], "networkConnections": [], "processes": [], "registryKeyStates": [], "triggers": [], "userStates": [ { "aadUserId": "", "accountName": "TestName", "domainName": "AAA111.ondomain.test", "emailRole": "unknown", "isVpn": null, "logonDateTime": null, "logonId": "0", "logonIp": null, "logonLocation": null, "logonType": null, "onPremisesSecurityIdentifier": "", "riskScore": "0", "userAccountType": null, "userPrincipalName": "TestName@AAA111.ondomain.test" } ], "vulnerabilityStates": []}
Table 1. Highlighted fields
QRadar field name Highlighted payload field name
Event Category category
Log Source Time eventDateTime
Username accountName
Source IP publicIpAddress

Microsoft Defender for Cloud sample message when you use the Microsoft Azure Event Hubs protocol

The following sample shows that a user attempted to manipulate WordPress theme by code injection.

{ "id": "/subscriptions/f57e6412-aaaa-1234-bbbb-11653c15d2b8/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/72cd4617-1234-1234-1234-ed28e3ed4124", "name": "72cd4617-1234-1234-1234-ed28e3ed4124", "type": "Microsoft.Security/Locations/alerts", "properties": { "status": "Active", "timeGeneratedUtc": "2022-12-13T09:39:40.4643132Z", "processingEndTimeUtc": "2022-12-13T09:39:39.9451937Z", "version": "2022-01-01.0", "vendorName": "Microsoft", "productName": "Microsoft Defender for Cloud", "alertType": "SIMULATED_APPS_WpThemeInjection", "startTimeUtc": "2022-12-13T09:39:37.9451937Z", "endTimeUtc": "2022-12-13T09:39:37.9451937Z", "severity": "High", "isIncident": false, "systemtestId": "72cd4617-1234-1234-1234-ed28e3ed4124", "intent": "Unknown", "resourceIdentifiers": [ { "$id": "centralus_1", "azureResourceId": "/SUBSCRIPTIONS/f57e6412-aaaa-1234-bbbb-11653c15d2b8/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App", "type": "AzureResource", "azureResourceTenantId": "7106186f-1234-1234-1234-9d6431c4a909" } ], "compromisedEntity": "Sample-App", "alertDisplayName": "[SAMPLE ALERT] Suspicious WordPress theme invocation detected", "description": "THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\r\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\r\nThis type of activity was seen in the past as part of an attack campaign over WordPress.", "remediationSteps": [ "1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.", "2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://example.com) for it." ], "entities": [ { "$id": "centralus_2", "hostName": "Sample-App", "azureID": "/SUBSCRIPTIONS/f57e6412-aaaa-1234-bbbb-11653c15d2b8/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App", "type": "host" } ], "alertUri": "https://example.com" } }
Table 2. Highlighted fields
QRadar field name Highlighted payload field name
Event ID alertType
Log Source Time StartTimeUtc

The following is a sample event when you use the Microsoft Azure Event Hubs protocol.

{
    "VendorName": "Microsoft",
    "AlertType": "SIMULATED_K8S_SensitiveMount",
    "ProductName": "Microsoft Defender for Cloud",
    "StartTimeUtc": "2023-07-20T11:53:23.7354152Z",
    "EndTimeUtc": "2023-07-20T11:53:23.7354152Z",
    "TimeGenerated": "2023-07-20T11:53:39.7354152Z",
    "ProcessingEndTime": "2023-07-20T11:53:39.7354152Z",
    "Severity": "Medium",
    "Status": "New",
    "ProviderAlertStatus": null,
    "ConfidenceLevel": null,
    "ConfidenceScore": null,
    "ConfidenceReasons": null,
    "IsIncident": false,
    "SystemAlertId": "1213123123123123_Test837912479-222222222",
    "CorrelationKey": null,
    "Intent": "PrivilegeEscalation",
    "AzureResourceId": "/subscriptions/aaaaaa-bbbb-4ccc-dddd-eeeeeee7/resourceGroups/test/providers/Microsoft.Security/securityConnectors/gcp-connector/testdata/gcp-clusters-sample-cluster-test-c",
    "WorkspaceId": null,
    "WorkspaceSubscriptionId": null,
    "WorkspaceResourceGroup": null,
    "AgentId": null,
    "CompromisedEntity": "Sample-Cluster",
    "AlertDisplayName": "[SAMPLE ALERT] Container with a sensitive volume mount detected (Preview)",
    "Description": "THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.",
    "Entities": [
        {
            "$id": "4",
            "ImageId": "sample-image:v1",
            "Asset": false,
            "Type": "container-image"
        },
        {
            "$id": "5",
            "CloudResource": {
                "$id": "6",
                "ResourceId": "/subscriptions/950b61bf-99cc-49dc-aaea-2222222222222/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/testdata/gcp-clusters-sample-cluster-Test-c",
                "ResourceType": "Test1 Test Cluster",
                "Asset": false,
                "Type": "azure-resource"
            },
            "Asset": false,
            "Type": "K8s-cluster"
        },
        {
            "$ref": "6"
        },
        {
            "$id": "7",
            "Name": "Sample-namespace",
            "Cluster": {
                "$ref": "5"
            },
            "Asset": false,
            "Type": "K8s-namespace"
        },
        {
            "$id": "8",
            "Name": "sample-pod",
            "Namespace": {
                "$ref": "7"
            },
            "Asset": false,
            "Type": "K8s-pod"
        },
        {
            "$id": "9",
            "Name": "sample-container",
            "Image": {
                "$ref": "4"
            },
            "Pod": {
                "$ref": "8"
            },
            "Asset": false,
            "Type": "container"
        },
        {
            "$id": "10",
            "ProjectId": "012345678901",
            "ResourceType": "Test1 Test Cluster",
            "ResourceName": "Sample-Cluster",
            "Location": "Test-c",
            "LocationType": "Tester",
            "Metadata": {
                "IsGraphCenter": true
            },
            "Asset": true,
            "Type": "gcp-resource",
            "RelatedAzureResourceIds": {
                "MulticloudResourceMDCAzureId": "/subscriptions/aaaaa-bbbb-4ccc-dddd-eeeeeee7/resourceGroups/test/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-test-c",
                "MdcConnectorResourceAzureId": "/subscriptions/aaaaa-bbbb-4ccc-dddd-eeeeeee7/resourceGroups/test/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-test-c"
            }
        }
    ],
    "ExtendedLinks": null,
    "RemediationSteps": [
        "Review the container and the path in the alert details.",
        "If possible, consider mounting only specific folders or files that are necessary to the container operation.",
        "If the container is not legitimate, escalate the alert to the information security team."
    ],
    "ExtendedProperties": {
        "Namespace": "Sample-namespace",
        "Container image": "sample-image",
        "Container name": "sample-container",
        "Pod name": "sample-pod",
        "Sensitive mount name": "sample-mount",
        "Sensitive mount path": "/Sample",
        "resourceType": "Test1 Test Cluster"
    },
    "ResourceIdentifiers": [
        {
            "$id": "2",
            "AzureResourceId": "/subscriptions/aaaaaa-bbbb-4ccc-dddd-eeeeeee7/resourceGroups/test/providers/Microsoft.Security/securityConnectors/gcp-connector/testdata/gcp-clusters-sample-cluster-test-c",
            "Type": "AzureResource",
            "AzureResourceTenantId": "aaaaaaaa-bbbbbb-cccc-b857-eeeeeeee"
        },
        {
            "$id": "3",
            "AadTenantId": "abababab-ccdcdcdc-efefefef-12121212",
            "Type": "AAD"
        }
    ],
    "AlertUri": "https://portal.Test.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/Alerttest/alertId/123123123123_sadasdasd-ffff-4213213-cccc-123123123123213/subscriptionId/12121212-asasa-accaac-aaea-eeeeeeeeee/resourceGroup/Sample-Test/referencedFrom/alerttestLink/location/testlocation"
}
Table 3. Highlighted fields
QRadar field name Highlighted payload field name
Event ID AlertType
Log Source Time StartTimeUtc