<span class="pill kill-chain">column</span>
<span class="pill kill-chain">accountName</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">activity</span>
<span class="pill kill-chain">activityType</span>
<span class="pill kill-chain">actor</span>
<span class="pill kill-chain">actorName</span>
<span class="pill kill-chain">alertId</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">assignedTo</span>
<span class="pill kill-chain">body</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">classification</span>
<span class="pill kill-chain">creationTime</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">description</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">detectionSource</span>
<span class="pill kill-chain">detectorId</span>
<span class="pill kill-chain">determination</span>
<span class="pill kill-chain">devices{}.aadDeviceId</span>
<span class="pill kill-chain">devices{}.defenderAvStatus</span>
<span class="pill kill-chain">devices{}.deviceDnsName</span>
<span class="pill kill-chain">devices{}.firstSeen</span>
<span class="pill kill-chain">devices{}.healthStatus</span>
<span class="pill kill-chain">devices{}.loggedOnUsers{}.accountName</span>
<span class="pill kill-chain">devices{}.loggedOnUsers{}.domainName</span>
<span class="pill kill-chain">devices{}.mdatpDeviceId</span>
<span class="pill kill-chain">devices{}.onboardingStatus</span>
<span class="pill kill-chain">devices{}.osBuild</span>
<span class="pill kill-chain">devices{}.osPlatform</span>
<span class="pill kill-chain">devices{}.osProcessor</span>
<span class="pill kill-chain">devices{}.rbacGroupName</span>
<span class="pill kill-chain">devices{}.riskScore</span>
<span class="pill kill-chain">devices{}.version</span>
<span class="pill kill-chain">devices{}.vmMetadata</span>
<span class="pill kill-chain">devices{}.vmMetadata.cloudProvider</span>
<span class="pill kill-chain">devices{}.vmMetadata.resourceId</span>
<span class="pill kill-chain">devices{}.vmMetadata.subscriptionId</span>
<span class="pill kill-chain">devices{}.vmMetadata.vmId</span>
<span class="pill kill-chain">entities{}.aadUserId</span>
<span class="pill kill-chain">entities{}.accountName</span>
<span class="pill kill-chain">entities{}.applicationId</span>
<span class="pill kill-chain">entities{}.applicationName</span>
<span class="pill kill-chain">entities{}.detectionStatus</span>
<span class="pill kill-chain">entities{}.deviceId</span>
<span class="pill kill-chain">entities{}.domainName</span>
<span class="pill kill-chain">entities{}.entityType</span>
<span class="pill kill-chain">entities{}.evidenceCreationTime</span>
<span class="pill kill-chain">entities{}.fileName</span>
<span class="pill kill-chain">entities{}.filePath</span>
<span class="pill kill-chain">entities{}.ipAddress</span>
<span class="pill kill-chain">entities{}.parentProcessCreationTime</span>
<span class="pill kill-chain">entities{}.parentProcessFileName</span>
<span class="pill kill-chain">entities{}.parentProcessFilePath</span>
<span class="pill kill-chain">entities{}.parentProcessId</span>
<span class="pill kill-chain">entities{}.processCommandLine</span>
<span class="pill kill-chain">entities{}.processCreationTime</span>
<span class="pill kill-chain">entities{}.processId</span>
<span class="pill kill-chain">entities{}.remediationStatus</span>
<span class="pill kill-chain">entities{}.remediationStatusDetails</span>
<span class="pill kill-chain">entities{}.sha1</span>
<span class="pill kill-chain">entities{}.sha256</span>
<span class="pill kill-chain">entities{}.userPrincipalName</span>
<span class="pill kill-chain">entities{}.userSid</span>
<span class="pill kill-chain">entities{}.verdict</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">firstActivity</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">incidentId</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">investigationId</span>
<span class="pill kill-chain">investigationState</span>
<span class="pill kill-chain">lastActivity</span>
<span class="pill kill-chain">lastUpdatedTime</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">mitreTechniques{}</span>
<span class="pill kill-chain">mitre_technique_id</span>
<span class="pill kill-chain">providerAlertId</span>
<span class="pill kill-chain">resolvedTime</span>
<span class="pill kill-chain">serviceSource</span>
<span class="pill kill-chain">severity</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">subject</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::app</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">threatFamilyName</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">title</span>
<span class="pill kill-chain">type</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_name</span>
<span class="pill kill-chain">_time</span>
</div>
Data Source: MS Defender ATP Alerts
Description
Logs security alerts generated by Microsoft Defender for Endpoint, including information about detected threats, impacted devices, and recommended actions.
Details
| Property | Value |
|---|---|
| Source | ms_defender_atp_alerts |
| Sourcetype | ms:defender:atp:alerts |
Supported Apps
- Splunk Add-on for Microsoft Security (version 2.4.1)
Event Fields
Fields
Example Log
1{
2"id": "da47dc5671-e560-4229-984b-457564996b31_1",
3"incidentId": 989,
4"investigationId": null,
5"assignedTo": null,
6"severity": "High",
7"status": "New",
8"classification": null,
9"determination": null,
10"investigationState": "UnsupportedAlertType",
11"detectionSource": "WindowsDefenderAtp",
12"detectorId": "9c3a70ec-e18a-4f92-865a-530f73130b7c",
13"category": "LateralMovement",
14"threatFamilyName": null,
15"title": "Ongoing hands-on-keyboard attack via Impacket toolkit",
16"description": "Suspicious execution of a command via Impacket was observed on this device. This tool connects to other hosts to explore network shares and execute commands. Attackers might be attempting to move laterally across the network using this tool. This usage of Impacket has often been observed in hands-on-keyboard attacks, where ransomware and other payloads are installed on target devices.",
17"alertCreationTime": "2023-01-24T05:33:37.3245808Z",
18"firstEventTime": "2023-01-24T05:31:07.5276179Z",
19"lastEventTime": "2023-01-24T13:02:50.7831636Z",
20"lastUpdateTime": "2023-01-24T13:07:13.3233333Z",
21"resolvedTime": null,
22"machineId": "302293d9f276eae65553e5042156bce93cbc7148",
23"computerDnsName": "diytestmachine",
24"rbacGroupName": "UnassignedGroup",
25"aadTenantId": "1a492129-58c8-4011-91cd-245285f5345c",
26"threatName": null,
27"mitreTechniques": [
28 "T1021.002",
29 "T1047",
30 "T1059.003"
31],
32"relatedUser": {
33 "userName": "User1",
34 "domainName": "DIYTESTMACHINE"
35},
36"loggedOnUsers": [
37 {
38 "accountName": "administrator1",
39 "domainName": "DIYTESTMACHINE"
40 }
41],
42"comments": [],
43"evidence": [
44 {
45 "entityType": "Process",
46 "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z",
47 "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
48 "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
49 "fileName": "WmiPrvSE.exe",
50 "filePath": "C:\\Windows\\System32\\wbem",
51 "processId": 4476,
52 "processCommandLine": "wmiprvse.exe -secured -Embedding",
53 "processCreationTime": "2023-01-24T05:43:32.4631151Z",
54 "parentProcessId": 896,
55 "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
56 "parentProcessFileName": "svchost.exe",
57 "parentProcessFilePath": "C:\\Windows\\System32",
58 "ipAddress": null,
59 "url": null,
60 "registryKey": null,
61 "registryHive": null,
62 "registryValueType": null,
63 "registryValue": null,
64 "registryValueName": null,
65 "accountName": "NETWORK SERVICE",
66 "domainName": "NT AUTHORITY",
67 "userSid": "S-1-5-20",
68 "aadUserId": null,
69 "userPrincipalName": null,
70 "detectionStatus": "Detected"
71 },
72 {
73 "entityType": "User",
74 "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
75 "sha1": null,
76 "sha256": null,
77 "fileName": null,
78 "filePath": null,
79 "processId": null,
80 "processCommandLine": null,
81 "processCreationTime": null,
82 "parentProcessId": null,
83 "parentProcessCreationTime": null,
84 "parentProcessFileName": null,
85 "parentProcessFilePath": null,
86 "ipAddress": null,
87 "url": null,
88 "registryKey": null,
89 "registryHive": null,
90 "registryValueType": null,
91 "registryValue": null,
92 "registryValueName": null,
93 "accountName": "User1",
94 "domainName": "DIYTESTMACHINE",
95 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
96 "aadUserId": null,
97 "userPrincipalName": null,
98 "detectionStatus": null
99 },
100 {
101 "entityType": "Process",
102 "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
103 "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
104 "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
105 "fileName": "WmiPrvSE.exe",
106 "filePath": "C:\\Windows\\System32\\wbem",
107 "processId": 7824,
108 "processCommandLine": "wmiprvse.exe -secured -Embedding",
109 "processCreationTime": "2023-01-24T05:30:50.8649791Z",
110 "parentProcessId": 896,
111 "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
112 "parentProcessFileName": "svchost.exe",
113 "parentProcessFilePath": "C:\\Windows\\System32",
114 "ipAddress": null,
115 "url": null,
116 "registryKey": null,
117 "registryHive": null,
118 "registryValueType": null,
119 "registryValue": null,
120 "registryValueName": null,
121 "accountName": "NETWORK SERVICE",
122 "domainName": "NT AUTHORITY",
123 "userSid": "S-1-5-20",
124 "aadUserId": null,
125 "userPrincipalName": null,
126 "detectionStatus": "Detected"
127 },
128 {
129 "entityType": "Process",
130 "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z",
131 "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
132 "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
133 "fileName": "cmd.exe",
134 "filePath": "C:\\Windows\\System32",
135 "processId": 5500,
136 "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674565222.7012053 2>&1",
137 "processCreationTime": "2023-01-24T13:02:50.4661885Z",
138 "parentProcessId": 756,
139 "parentProcessCreationTime": "2023-01-24T13:00:35.0107475Z",
140 "parentProcessFileName": "WmiPrvSE.exe",
141 "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
142 "ipAddress": null,
143 "url": null,
144 "registryKey": null,
145 "registryHive": null,
146 "registryValueType": null,
147 "registryValue": null,
148 "registryValueName": null,
149 "accountName": "User1",
150 "domainName": "DIYTESTMACHINE",
151 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
152 "aadUserId": null,
153 "userPrincipalName": null,
154 "detectionStatus": "Detected"
155 },
156 {
157 "entityType": "Process",
158 "evidenceCreationTime": "2023-01-24T05:33:37.4166667Z",
159 "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
160 "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
161 "fileName": "cmd.exe",
162 "filePath": "C:\\Windows\\System32",
163 "processId": 8964,
164 "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538248.357367 2>&1",
165 "processCreationTime": "2023-01-24T05:31:04.0743902Z",
166 "parentProcessId": 7824,
167 "parentProcessCreationTime": "2023-01-24T05:30:50.8649791Z",
168 "parentProcessFileName": "WmiPrvSE.exe",
169 "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
170 "ipAddress": null,
171 "url": null,
172 "registryKey": null,
173 "registryHive": null,
174 "registryValueType": null,
175 "registryValue": null,
176 "registryValueName": null,
177 "accountName": "User1",
178 "domainName": "DIYTESTMACHINE",
179 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
180 "aadUserId": null,
181 "userPrincipalName": null,
182 "detectionStatus": "Detected"
183 },
184 {
185 "entityType": "Process",
186 "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z",
187 "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
188 "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
189 "fileName": "cmd.exe",
190 "filePath": "C:\\Windows\\System32",
191 "processId": 884,
192 "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538583.8648584 2>&1",
193 "processCreationTime": "2023-01-24T05:36:38.826505Z",
194 "parentProcessId": 7736,
195 "parentProcessCreationTime": "2023-01-24T05:36:26.0524655Z",
196 "parentProcessFileName": "WmiPrvSE.exe",
197 "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
198 "ipAddress": null,
199 "url": null,
200 "registryKey": null,
201 "registryHive": null,
202 "registryValueType": null,
203 "registryValue": null,
204 "registryValueName": null,
205 "accountName": "User1",
206 "domainName": "DIYTESTMACHINE",
207 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
208 "aadUserId": null,
209 "userPrincipalName": null,
210 "detectionStatus": "Detected"
211 },
212 {
213 "entityType": "Process",
214 "evidenceCreationTime": "2023-01-24T13:07:13.2233333Z",
215 "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
216 "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
217 "fileName": "WmiPrvSE.exe",
218 "filePath": "C:\\Windows\\System32\\wbem",
219 "processId": 756,
220 "processCommandLine": "wmiprvse.exe -secured -Embedding",
221 "processCreationTime": "2023-01-24T13:00:35.0107475Z",
222 "parentProcessId": 908,
223 "parentProcessCreationTime": "2023-01-24T08:20:44.6877667Z",
224 "parentProcessFileName": "svchost.exe",
225 "parentProcessFilePath": "C:\\Windows\\System32",
226 "ipAddress": null,
227 "url": null,
228 "registryKey": null,
229 "registryHive": null,
230 "registryValueType": null,
231 "registryValue": null,
232 "registryValueName": null,
233 "accountName": "NETWORK SERVICE",
234 "domainName": "NT AUTHORITY",
235 "userSid": "S-1-5-20",
236 "aadUserId": null,
237 "userPrincipalName": null,
238 "detectionStatus": "Detected"
239 },
240 {
241 "entityType": "Process",
242 "evidenceCreationTime": "2023-01-24T05:45:51.6833333Z",
243 "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
244 "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
245 "fileName": "cmd.exe",
246 "filePath": "C:\\Windows\\System32",
247 "processId": 1140,
248 "processCommandLine": "cmd.exe /Q /c powershell -NoProfile -ExecutionPolicy Bypass -File \"C:\\Users\\administrator1\\Desktop\\SharedFolder\\payload.ps1\" 1> \\\\127.0.0.1\\SharedFolder\\__1674538878.1586335 2>&1",
249 "processCreationTime": "2023-01-24T05:43:49.9375398Z",
250 "parentProcessId": 4476,
251 "parentProcessCreationTime": "2023-01-24T05:43:32.4631151Z",
252 "parentProcessFileName": "WmiPrvSE.exe",
253 "parentProcessFilePath": "C:\\Windows\\System32\\wbem",
254 "ipAddress": null,
255 "url": null,
256 "registryKey": null,
257 "registryHive": null,
258 "registryValueType": null,
259 "registryValue": null,
260 "registryValueName": null,
261 "accountName": "User1",
262 "domainName": "DIYTESTMACHINE",
263 "userSid": "S-1-5-21-4215714199-1288013905-3478400915-1002",
264 "aadUserId": null,
265 "userPrincipalName": null,
266 "detectionStatus": "Detected"
267 },
268 {
269 "entityType": "Process",
270 "evidenceCreationTime": "2023-01-24T05:39:47.1733333Z",
271 "sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
272 "sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
273 "fileName": "WmiPrvSE.exe",
274 "filePath": "C:\\Windows\\System32\\wbem",
275 "processId": 7736,
276 "processCommandLine": "wmiprvse.exe -secured -Embedding",
277 "processCreationTime": "2023-01-24T05:36:26.0524655Z",
278 "parentProcessId": 896,
279 "parentProcessCreationTime": "2023-01-24T04:44:17.1940386Z",
280 "parentProcessFileName": "svchost.exe",
281 "parentProcessFilePath": "C:\\Windows\\System32",
282 "ipAddress": null,
283 "url": null,
284 "registryKey": null,
285 "registryHive": null,
286 "registryValueType": null,
287 "registryValue": null,
288 "registryValueName": null,
289 "accountName": "NETWORK SERVICE",
290 "domainName": "NT AUTHORITY",
291 "userSid": "S-1-5-20",
292 "aadUserId": null,
293 "userPrincipalName": null,
294 "detectionStatus": "Detected"
295 }
296],
297"domains": []
298}
Source: GitHub | Version: 2