Microsoft Windows Defender ATP サンプル・イベント・メッセージ

QRadar® との統合が正常に行われたことを確認する方法として、これらのサンプル・イベント・メッセージを使用します。

Microsoft Windows Defender® ATP DSM 用の Microsoft Windows Defender ATP REST API プロトコルを使用する場合のサンプル・イベント・メッセージを次の表に示します。
重要: フォーマット設定の問題のため、メッセージ・フォーマットをテキスト・エディターに貼り付けて、復帰文字または改行文字を削除してください。
表 1. Microsoft Windows Defender ATP によってサポートされる Microsoft Windows Defender ATP サンプル・メッセージ
イベント名 下位カテゴリー サンプル・ログ・メッセージ

Windows Defender ATP コマンドおよび制御アラート

 疑わしいアクティビティー 
{"AlertTime":"2017-12-27T03:54:41.1914393Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"<AlertTitle>","Category":"CommandAndControl","Severity":"<Severity>","AlertId":"<AlertId>","Actor":"<Actor>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","CreatorIocName":"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<FileName>","FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<IoaDefinitionId>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessedTimeUtc":"2017-12-27T07:16:34.1412283Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<ThreatFamily>","ThreatName":"<ThreatName>","RemediationAction":"<RemediationAction>","RemediationIsSuccess":"<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain>","LogOnUsers":"<LogOnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv4List":"192.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHash":"<FileHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}
Windows Defender ATP マルウェア・アラート その他のマルウェア 
{"AlertTime":"2017-12-26T21:28:21.5123241Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"<AlertTitle>","Category":"Malware","Severity":"<Severity>","AlertId":"<AlertId>","Actor":"<Actor>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","CreatorIocName":"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<FileName>","FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<IoaDefinitionId>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessedTimeUtc":"2017-12-27T04:54:17.1700156Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<ThreatFamily>","ThreatName":"<ThreatName>","RemediationAction":"<RemediationAction>","RemediationIsSuccess":"<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain","LogOnUsers":"<LogOnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv4List":"192.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHash":"<FileHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}
Windows Defender ATP エクスプロイト・アラート その他のエクスプロイト 
{"AlertTime":"2017-11-22T17:03:43.8840792Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"<AlertTitle>","Category":"Exploit","Severity":"<Severity>","AlertId":"<AlertId>","Actor":"<Actor>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","CreatorIocName":"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<FileName>","FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<IoaDefinitionId>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessedTimeUtc":"2017-11-22T17:04:04.8338919Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<ThreatFamily>","ThreatName":"<ThreatName","RemediationAction":"<RemediationAction>","RemediationIsSuccess":"<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain","LogOnUsers":"<LogOnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv4List":"192.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHash":"<FileHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}
Windows Defender ATP バックドア・アラート 検出されたバックドア 
{"AlertTime":"2017-11-22T18:01:32.1887775Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"<AlertTitle>","Category":"Backdoor","Severity":"<Severity>","AlertId":"<AlertId","Actor":"<Actor>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","CreatorIocName":"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<FileName>","FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<IoaDefinitionId>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessedTimeUtc":"2017-11-22T18:01:49.8739015Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<ThreatFamily>","ThreatName":"<ThreatName>","RemediationAction":"<RemediationAction>","RemediationIsSuccess":"<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain>","LogOnUsers":"<LogOnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv4List":"192.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHash":"<FileHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}