Data Source: Windows Defender Alerts

Logs security alerts generated by Windows Defender, including details about detected threats, impacted files, and recommended actions for remediation.

Property Value
Source eventhub://windowsdefenderlogs
Sourcetype mscs:azure:eventhub:defender:advancedhunting
Separator AlertId
+ Fields

            1
            _time
          
            3
            AlertId
          
            5
            TenantId
          
            7
            OperationName
          
            9
            Category
          
            11
            Timestamp
          
            13
            EntityType
          
            15
            EvidenceRole
          
            17
            SHA1
          
            19
            SHA256
          
            21
            RemoteIP
          
            23
            LocalIP
          
            25
            RemoteUrl
          
            27
            AccountName
          
            29
            AccountDomain
          
            31
            AccountSid
          
            33
            AccountObjectId
          
            35
            DeviceId
          
            37
            ThreatFamily
          
            39
            EvidenceDirection
          
            41
            AdditionalFields
          
            43
            MachineGroup
          
            45
            NetworkMessageId
          
            47
            ServiceSource
          
            49
            FileName
          
            51
            FolderPath
          
            53
            ProcessCommandLine
          
            55
            EmailSubject
          
            57
            ApplicationId
          
            59
            Application
          
            61
            DeviceName
          
            63
            FileSize
          
            65
            RegistryKey
          
            67
            RegistryValueName
          
            69
            RegistryValueData
          
            71
            AccountUpn
          
            73
            OAuthApplicationId
          
            75
            Categories
          
            77
            Title
          
            79
            AttackTechniques
          
            81
            DetectionSource
          
            83
            Severity
          
            85
            
          
...
not set
1{"time": "2024-06-14T20:12:23.3360383Z", "tenantId": "abced-c7ee-abce-1123-123", "operationName": "Publish", "category": "AdvancedHunting-AlertEvidence", "properties": {"Timestamp": "2024-04-14T19:59:59.1549925Z", "AlertId": "dc25", "EntityType": "CloudResource", "EvidenceRole": "Impacted", "SHA1": null, "SHA256": null, "RemoteIP": null, "LocalIP": null, "RemoteUrl": null, "AccountName": null, "AccountDomain": null, "AccountSid": null, "AccountObjectId": null, "DeviceId": null, "ThreatFamily": null, "EvidenceDirection": null, "AdditionalFields": "{\"ResourceId\":\"/subscriptions/1-2-3-4/resourceGroups/pluginframework/ providers/Microsoft.Compute/virtualMachines/phantom-identity\",\"ResourceType\":\"Virtual Machine\",\"ResourceName\":\"phantom-identity\",\"Asset\":true,\" Type\":\"azure-resource\",\"Role\":0,\"MergeByKey\":\"abcd=\",\"MergeByKeyHex\":\"1234\"}", "MachineGroup": null, "NetworkMessageId": null, "ServiceSource": "Microsoft Defender for Cloud", "FileName": null, "FolderPath": null, "ProcessCommandLine": null, "EmailSubject": null, "ApplicationId": null, "Application": null, "DeviceName": null, "FileSize": null, "RegistryKey": null, "RegistryValueName": null, "RegistryValueData": null, "AccountUpn": null, "OAuthApplicationId": null, "Categories": "[\"InitialAccess\"]", "Title": "Suspicious authentication activity", "AttackTechniques": "", "DetectionSource": "DefenderForServers", "Severity": "High"}, "Tenant": "DefaultTenant"}

Source: GitHub | Version: 2