Microsoft 365 Defender のサンプル・イベント・メッセージ

これらのサンプル・イベント・メッセージを使用して、 IBM QRadarとの統合が正常に行われたことを確認します。

重要:
  • Microsoft WindowsDefender ATP DSMの名称は、Microsoft 365Defender DSMに変更されました。 DSM RPM 名は、 QRadarでは Microsoft Windows Defender ATP のままです。
  • 2021 年 11 月 25 日時点で Microsoft Defender API スイートが変更されたため、Microsoft は SIEM API との新しい統合のオンボーディングを許可しなくなりました。 詳しくは、 レガシー SIEM API の非推奨化 (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api/ba-p/3139643) を参照してください。

    Streaming API は、 QRadarへのイベントおよびアラートの転送を提供するために Microsoft Azure Event Hubs プロトコルとともに使用できます。 サービスとその構成について詳しくは、 Configure Microsoft 365 Defender to stream Advanced ハンティング・イベント to your Azure Event Hub (https://docs.micosoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide) を参照してください。

Microsoft 365 Microsoft Azure Event Hubs プロトコルを使用する場合の Defender のサンプル・メッセージ

サンプル 1: 以下のサンプル・イベント・メッセージは、スケジュールされたタスクが正常に更新されたことを示しています。

重要: フォーマットの問題のため、メッセージ・フォーマットをテキスト・エディターに貼り付けてから、復帰文字または改行文字を削除してください。
"{"time":"2021-07-21T00:57:23.0186119Z","tenantId":"abc12345-123a-123a-456b-abcdefg12345","operationName":"Publish","category":"AdvancedHunting-DeviceEvents","properties":{"AccountSid":null,"AccountDomain":null,"AccountName":null,"LogonId":null,"FileName":null,"FolderPath":null,"MD5":null,"SHA1":null,"FileSize":null,"SHA256":null,"ProcessCreationTime":null,"ProcessTokenElevation":null,"RemoteUrl":null,"RegistryKey":null,"RegistryValueName":null,"RegistryValueData":null,"RemoteDeviceName":null,"FileOriginIP":null,"FileOriginUrl":null,"LocalIP":null,"LocalPort":null,"RemoteIP":null,"RemotePort":null,"ProcessId":null,"ProcessCommandLine":null,"AdditionalFields":"{\"TaskName\":\"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Schedule Maintenance Work\"}","ActionType":"ScheduledTaskUpdated","InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessFolderPath":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessMD5":null,"InitiatingProcessSHA256":null,"InitiatingProcessSHA1":null,"InitiatingProcessLogonId":999,"InitiatingProcessAccountSid":"S-1-5-18","InitiatingProcessAccountDomain":"m365defender","InitiatingProcessAccountName":"client-pc$","InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessCreationTime":null,"InitiatingProcessId":null,"InitiatingProcessCommandLine":null,"InitiatingProcessParentCreationTime":null,"InitiatingProcessParentId":null,"InitiatingProcessParentFileName":null,"DeviceId":"111122223333444455556666777788889999aaaa","AppGuardContainerId":"","MachineGroup":null,"Timestamp":"2021-07-21T00:55:44.2280946Z","DeviceName":"client-pc.example.net","ReportId":60533}}" );
表 1. Microsoft 365 Defender イベント内の強調表示されたフィールド
QRadarフィールド名 強調表示されたペイロードのフィールド名
イベント・カテゴリー カテゴリー
イベント ID ActionType
デバイス時刻 タイムスタンプ

サンプル 2: 以下のサンプル・イベント・メッセージは、キー・ロギング・アクティビティーの可能性に対するアラートを示しています。

{"time":"2021-09-09T00:40:17.7066896Z","tenantId":"abc12345-123a-123a-456b-abcdefg12345","operationName":"Publish","category":"AdvancedHunting-AlertInfo","properties":{"AlertId":"da637667448174310467_1631502683","Timestamp":"2021-09-09T00:39:17.1650944Z","Title":"Possible keylogging activity","ServiceSource":"Microsoft Defender for Endpoint","Category":"Collection","Severity":"High","DetectionSource":"EDR","MachineGroup":null,"AttackTechniques":"[\"Input Capture (T1056)\"]"}}
表 2. Microsoft 365 Defender イベント内の強調表示されたフィールド
QRadarフィールド名 強調表示されたペイロードのフィールド名
イベント・カテゴリー カテゴリー
イベント ID タイトル
デバイス時刻 タイムスタンプ

Microsoft 365 Microsoft Defender for Endpoint SIEM REST API プロトコルを使用する場合の Defender のサンプル・メッセージ

サンプル 1: 以下のサンプル・イベント・メッセージは、疑わしいアクティビティーを示しています。

{"AlertTime":"2017-12-27T03:54:41.1914393Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"<AlertTitle>","Category":"CommandAndControl","Severity":"<Severity>","AlertId":"<AlertId>","Actor":"<Actor>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","CreatorIocName":"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<FileName>","FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<IoaDefinitionId>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessedTimeUtc":"2017-12-27T07:16:34.1412283Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<ThreatFamily>","ThreatName":"<ThreatName>","RemediationAction":"<RemediationAction>","RemediationIsSuccess":"<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain>","LogOnUsers":"<LogOnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv4List":"192.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHash":"<FileHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}
表 3. Microsoft 365 Defender サンプル・イベント内の強調表示されたフィールド
QRadarフィールド名 強調表示されたペイロードのフィールド名
デバイス時刻 AlertTime
イベント ID カテゴリー
送信元 IP IpAddress
送信元 IP v6 InternalIPv6List
Username UserName

サンプル 2: 以下のサンプル・イベント・メッセージは、バックドア・アクセスが検出されたことを示しています。

{"AlertTime":"2017-11-22T18:01:32.1887775Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"<AlertTitle>","Category":"Backdoor","Severity":"<Severity>","AlertId":"<AlertId","Actor":"<Actor>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","CreatorIocName":"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<FileName>","FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<IoaDefinitionId>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessedTimeUtc":"2017-11-22T18:01:49.8739015Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<ThreatFamily>","ThreatName":"<ThreatName>","RemediationAction":"<RemediationAction>","RemediationIsSuccess":"<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain>","LogOnUsers":"<LogOnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv4List":"192.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHash":"<FileHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}
表 4. Microsoft 365 Defender サンプル・イベント内の強調表示されたフィールド
QRadarフィールド名 強調表示されたペイロードのフィールド名
デバイス時刻 AlertTime
イベント ID カテゴリー
送信元 IP IpAddress
送信元 IP v6 InternalIPv6List
Username UserName

Microsoft 365 Microsoft Graph Security API プロトコルを使用する場合の Defender のサンプル・メッセージ

サンプル 1: 以下のイベント・メッセージのサンプルは、このデバイスの疑わしいネットワーク・ イベントと近い時間帯に、別のデバイスの横方向の動きが観察されたことを示しています。 これは、データを収集したり特権を昇格させたりするために、攻撃者がデバイス間を横方向に移動しようとしている可能性があることを意味します。 このアラートは、Microsoft Defender のエンドポイント・アラートに基づいてトリガーされました。
{"id":"da637789431774501659_-1621338217","providerAlertId":"da637789431774501659_-1621338217","incidentId":"5","status":"resolved","severity":"medium","classification":null,"determination":null,"serviceSource":"microsoftDefenderForEndpoint","detectionSource":"microsoft365Defender","detectorId":"ab3e5834-3d38-42c5-aaa6-c1cfc6c02882","tenantId":"24d3dca4-61f8-4b86-8e22-612b71d65386","title":"Possible lateral movement","description":"Lateral movement on another device was observed in close time proximity to a suspicious network event on this device. This could mean that an attacker is attempting to move laterally across devices to gather data or elevate privileges. This alert was triggered based on a Microsoft Defender for Endpoint alert.","recommendedActions":"A. Validate the alert.\r\n1. Investigate the process, its behaviors, and the endpoint involved in the original alert for suspicious activity.\r\n2. Check for other suspicious activities in the device timeline.\r\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\r\n4. Submit relevant files for deep analysis and review file behaviors.\r\n5. Identify unusual system activity with system owners.\r\n\r\nB. Scope the incident. Find related device, network addresses, and files in the incident graph.\r\n\r\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\r\n\r\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.","category":"LateralMovement","assignedTo":"testUser@testUser@example.test","alertWebUrl":"https://security.microsoft.com/alerts/da637789431774501659_-1621338217?tid=24d3dca4-61f8-4b86-8e22-612b71d65386","incidentWebUrl":"https://security.microsoft.com/incidents/5?tid=24d3dca4-61f8-4b86-8e22-612b71d65386","actorDisplayName":null,"threatDisplayName":null,"threatFamilyName":null,"mitreTechniques":["T1570","T1021.002","T1021.003","T1021.004","T1021.006"],"createdDateTime":"2022-01-28T05:06:17.4503018Z","lastUpdateDateTime":"2022-01-28T07:11:29.6933333Z","resolvedDateTime":"2022-01-28T05:21:32.5866667Z","firstActivityDateTime":"2022-01-28T04:53:35.0699463Z","lastActivityDateTime":"2022-01-28T04:53:35.0699463Z","comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.deviceEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"impacted","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"firstSeenDateTime":"2022-01-28T01:15:01.628Z","mdeDeviceId":"12345testmdeDeviceid","azureAdDeviceId":null,"deviceDnsName":"testHost.test","osPlatform":"Windows10","osBuild":17763,"version":"1809","healthStatus":"active","riskScore":"high","rbacGroupId":0,"rbacGroupName":null,"onboardingStatus":"onboarded","defenderAvStatus":"updated","loggedOnUsers":[{"accountName":"testUser","domainName":"MPRTDEV"}]},{"@odata.type":"#microsoft.graph.security.processEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"related","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"processId":4,"parentProcessId":0,"processCommandLine":"","processCreationDateTime":"2022-01-28T01:01:49.3539999Z","parentProcessCreationDateTime":null,"detectionStatus":null,"mdeDeviceId":null,"parentProcessImageFile":null,"imageFile":{"sha1":"3791cf139c5f9e5c97e9c091f73e441b6a9bbd30","sha256":"e2f1857de3560a5237ca7ea661fc3688715bbbf6baa483511d49baac4ce1acf9","fileName":"System","filePath":"c:\\windows\\system32\\ntoskrnl.exe","fileSize":null,"filePublisher":null,"signer":null,"issuer":null},"userAccount":{"accountName":"system","domainName":null,"userSid":"S-1-1-1","azureAdUserId":null,"userPrincipalName":null}},{"@odata.type":"#microsoft.graph.security.ipEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"related","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"ipAddress":"10.0.0.5"},{"@odata.type":"#microsoft.graph.security.urlEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"related","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"url":"mprtdev-win10b"},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2022-01-28T05:06:17.51Z","evidenceRole":"impacted","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"userAccount":{"accountName":null,"domainName":null,"userSid":null,"azureAdUserId":null,"userPrincipalName":null}}]}
表 5. Microsoft 365 Defender サンプル・イベント内の強調表示されたフィールド
QRadarフィールド名 強調表示されたペイロードのフィールド名
デバイス時刻 createdDateTime
イベント ID カテゴリー
イベント・カテゴリー detectionSource
送信元 IP ipAddress
Username assignedTo
サンプル2: 次のイベント・メッセージのサンプルは、サービス・アナウンスを示しています。
{"startDateTime":"2025-03-05T23:57:40Z","endDateTime":"2026-02-02T08:00:00Z","lastModifiedDateTime":"2025-07-24T13:40:22.29Z","title":"(Updated) Microsoft Entra: Browser access will be enabled by default for all Android users","id":"X00000001","category":"planForChange","severity":"normal","tags":["Updated message","Feature update","User impact","Admin impact","Retirement"],"isMajorChange":true,"actionRequiredByDateTime":null,"services":["Microsoft Entra"],"hasAttachments":false,"viewPoint":null,"details":[{"name":"Summary","value":"Microsoft Entra will enable browser access by default for all Android users, retiring the \"Enable Browser Access\" feature in Microsoft Authenticator and Company Portal apps. This hardware-bound device registration change requires no admin action and will roll out automatically worldwide. Organizations not using Android can ignore this update."}],"body":{"contentType":"html","content":"<p>Updated July 24, 2025: We have updated the timeline. Thank you for your patience.</p><p>If your organization does not support Android devices, you can safely ignore this message.\n</p><p>As part of our overall security hardening efforts, we will migrate Microsoft Entra ID device registration to be hardware-bound. Since the device identity will be hardware-bound, we will retire the ability for users to enable a feature called <i>Enable Browser Access </i>(EBA) in the Microsoft Authenticator app and the Microsoft Company Portal app for Android. After this retirement, browser access will automatically be enabled as part of device registration.\n</p><p>[When this will happen:]\n</p><p>General Availability (Worldwide): We will communicate via Message center when we are ready to proceed.</p><p>[What you need to do to prepare:]\n</p><p>No action or preparation is required from admins or users regarding this change. The change will occur automatically.\n</p><p>The <i>Enable Browser Access</i> feature will retire from the Company Portal and Authenticator apps for Android:\n</p><p><img src=\"https://example.com/file/ccp/en-us/5adf2eac-6eb7-45b5-933d-334324a1dc12\" style=\"width: 300px;\" alt=\"user controls\">\n</p><p>This change was first announced in <a href=\"https://example.com/blog/example/whats-new-in-microsoft-entra---september-2024/4253153\" target=\"_blank\">What's new in Microsoft Entra - September 2024 | Microsoft Community Hub</a> (September 2024).\n</p><p>This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your users about this change and update any relevant documentation.</p>"}}

2

表6. Microsoft 365 Defender サンプル・イベント内の強調表示されたフィールド
QRadarフィールド名 強調表示されたペイロードのフィールド名
デバイス時刻 startDateTime
イベント ID カテゴリー
イベント・カテゴリー ServiceAnnouncement