Microsoft Defender for Cloud örnek olay iletisi
IBM® QRadar®ile başarılı bir tümleşimi doğrulamak için bu örnek olay iletisini kullanın.
Önemli: Sorunların biçimlendirilmesi nedeniyle, ileti biçimini bir metin düzenleyicisine yapıştırın ve sonra satır başı ya da satır besleme karakterlerini kaldırın.
Microsoft Graph Security API iletişim kuralını kullandığınızda, Microsoft Defender for Cloud örnek iletisi
Aşağıdaki örnek, bir kullanıcının şüpheli bir IP adresini kullanarak kaynaklara erişmeyi denediğini gösterir.
{ "id": "1111d111-fa11-111a-11b1-c1e11c111a11", "azureTenantId": "00000001-0001-0001-0001-000000000001", "azureSubscriptionId": "", "riskScore": null, "tags": [], "activityGroupName": null, "assignedTo": "", "category": "Malicious_IP", "closedDateTime": null, "comments": [], "confidence": 0, "createdDateTime": "2020-01-11T14:36:57.2738949Z", "description": "Network traffic analysis indicates that your devices communicated with what might be a Command and Control center for a malware of type Dridex. Dridex is a banking trojan family that steals credentials of online banking websites. Dridex is typically distributed via phishing emails with Microsoft Word and Excel document attachments. These Office documents contain malicious macro code that downloads and installs Dridex on the affected system.", "detectionIds": [], "eventDateTime": "2020-01-09T11:02:01Z", "feedback": null, "lastModifiedDateTime": "2020-01-11T14:37:05.1157187Z", "recommendedActions": [ "1. Escalate the alert to your security administrator.", "2. Add the source IP address to your local FW block list for 24 hours. For more information, see Plan virtual networks (https://sub.domain.test/en-us/documentation/articles/virtual-networks-nsg/).", "3. Make sure your devices are completely updated and have updated antimalware installed.", "4. Run a full anti-virus scan and verify that the threat was removed.", "5. Install and run Microsoft’s Malicious Software Removal Tool (https://www.domain.test/en-us/security/pc-security/malware-removal.aspx).", "6. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run when you sign in. For more information, see Autoruns for Windows (https://technet.domain.test/en-us/sysinternals/bb963902.aspx).", "7. Run Process Explorer and try to identify any unknown processes that are running. For more information, see Process Explorer (https://technet.domain.test/en-us/sysinternals/bb896653.aspx)." ], "severity": "high", "sourceMaterials": [], "status": "newAlert", "title": "Network communication with a malicious IP", "vendorInformation": { "provider": "Azure Security Center", "providerVersion": "3.0", "subProvider": null, "vendor": "Microsoft" }, "cloudAppStates": [], "fileStates": [], "hostStates": [ { "fqdn": "abc-TestName.AAA111.ondomain.test", "isAzureAdJoined": null, "isAzureAdRegistered": null, "isHybridAzureDomainJoined": false, "netBiosName": "abc-TestName", "os": "", "privateIpAddress": null, "publicIpAddress": "172.16.37.125", "riskScore": "0" } ], "historyStates": [], "malwareStates": [ { "category": "Trojan", "family": "Dridex", "name": "", "severity": "", "wasRunning": true } ], "networkConnections": [], "processes": [], "registryKeyStates": [], "triggers": [], "userStates": [ { "aadUserId": "", "accountName": "TestName", "domainName": "AAA111.ondomain.test", "emailRole": "unknown", "isVpn": null, "logonDateTime": null, "logonId": "0", "logonIp": null, "logonLocation": null, "logonType": null, "onPremisesSecurityIdentifier": "", "riskScore": "0", "userAccountType": null, "userPrincipalName": "TestName@AAA111.ondomain.test" } ], "vulnerabilityStates": []}| QRadar Alan Ad | Vurgulanan bilgi yükü alanı adı |
|---|---|
| Olay Kategorisi | category |
| Günlük Kaynağı Süresi | eventDateTime |
| Kullanıcı adı | accountName |
| Kaynak IP | publicIpAddress |
Microsoft Defender for Cloud örnek iletisi Microsoft Azure Event Hubs iletişim kuralını kullanırken
The following sample shows that a user attempted to manipulate WordPress theme by code injection.
{ "id": "/subscriptions/f57e6412-aaaa-1234-bbbb-11653c15d2b8/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/72cd4617-1234-1234-1234-ed28e3ed4124", "name": "72cd4617-1234-1234-1234-ed28e3ed4124", "type": "Microsoft.Security/Locations/alerts", "properties": { "status": "Active", "timeGeneratedUtc": "2022-12-13T09:39:40.4643132Z", "processingEndTimeUtc": "2022-12-13T09:39:39.9451937Z", "version": "2022-01-01.0", "vendorName": "Microsoft", "productName": "Microsoft Defender for Cloud", "alertType": "SIMULATED_APPS_WpThemeInjection", "startTimeUtc": "2022-12-13T09:39:37.9451937Z", "endTimeUtc": "2022-12-13T09:39:37.9451937Z", "severity": "High", "isIncident": false, "systemtestId": "72cd4617-1234-1234-1234-ed28e3ed4124", "intent": "Unknown", "resourceIdentifiers": [ { "$id": "centralus_1", "azureResourceId": "/SUBSCRIPTIONS/f57e6412-aaaa-1234-bbbb-11653c15d2b8/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App", "type": "AzureResource", "azureResourceTenantId": "7106186f-1234-1234-1234-9d6431c4a909" } ], "compromisedEntity": "Sample-App", "alertDisplayName": "[SAMPLE ALERT] Suspicious WordPress theme invocation detected", "description": "THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\r\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\r\nThis type of activity was seen in the past as part of an attack campaign over WordPress.", "remediationSteps": [ "1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.", "2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://example.com) for it." ], "entities": [ { "$id": "centralus_2", "hostName": "Sample-App", "azureID": "/SUBSCRIPTIONS/f57e6412-aaaa-1234-bbbb-11653c15d2b8/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App", "type": "host" } ], "alertUri": "https://example.com" } }| QRadar Alan Ad | Vurgulanan bilgi yükü alanı adı |
|---|---|
| Olay Tanıtıcısı | alertType |
| Günlük Kaynağı Süresi | StartTimeUtc |