Microsoft Defender for Endpoint¶
Microsoft Defender for Endpoint
About¶
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Example endpoints may include laptops, phones, tablets, PCs, access points, routers, and firewalls.
Product Details¶
Vendor URL: https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint
Product Type: EDR
Product Tier: Tier I
Integration Method: API, Azure Blob Storage
Integration URL: Azure Blob Storage
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95-100%
Data Label: MICOSOFT_DEFENDER_ENDPOINT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| time | metadata.event_timestamp |
| "STATUS_UPDATE" | metadata.event_type |
| "MICROSOFT_DEFENDER_ENDPOINT" | metadata.log_type |
| properties.ActionType | metadata.product_event_type |
| properties.ReportId | metadata.product_log_id |
| category | metadata.product_name |
| "Microsoft" | metadata.vendor_name |
| tenantId | observer.cloud.project.id |
| properties.InitiatingProcessAccountDomain | principal.administrative_domain |
| properties.DeviceName | principal.hostname |
| properties.InitiatingProcessCommandLine | principal.process.command_line |
| properties.InitiatingProcessFolderPath | principal.process.file.full_path |
| properties.InitiatingProcessMD5 | principal.process.file.md5 |
| properties.InitiatingProcessSHA1 | principal.process.file.sha1 |
| properties.InitiatingProcessSHA256 | principal.process.file.sha256 |
| properties.InitiatingProcessAccountName | principal.user.userid |
| properties.InitiatingProcessAccountSid | principal.user.windows_sid |
| properties.ActionType | security_result.summary |
| properties.FolderPath | target.file.full_path |
| properties.FileName | target.process.file.full_path |
| properties.MD5 | target.process.file.md5 |
| properties.SHA1 | target.process.file.sha1 |
| properties.SHA256 | target.process.file.sha256 |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| AdvancedHunting-EmailEvents | EMAIL_TRANSACTION |
| AdvancedHunting-DeviceFileEvents - FileCreated | FILE_CREATION |
| all other AdvancedHunting-DeviceFileEvents | FILE_MODIFICATION |
| AdvancedHunting-DeviceNetworkEvents | NETWORK_CONNECTION |
| DnsQueryResponse | NETWORK_DNS |
| Ip | NETWORK_UNCATEGORIZED |
| ProcessPrimaryTokenModified | PROCESS_INJECTION |
| PowerShellCommand, Launch, ServiceInstalled, AdvancedHunting-DeviceProcessEvents | PROCESS_LAUNCH |
| AdvancedHunting-DeviceImageLoadEvents | PROCESS_MODULE_LOAD |
| ScriptContent, GetClipboardData | PROCESS_OPEN |
| AdvancedHunting-DeviceRegistryEvents - RegistryValueCreated | REGISTRY_CREATION |
| AdvancedHunting-DeviceRegistryEvents - RegistryValueDeleted | REGISTRY_DELETION |
| AdvancedHunting-DeviceRegistryEvents | REGISTRY_MODIFICATION |
| SmartScreen | SCAN_HOST |
| MachineID | SCAN_PROCESS |
| ScheduledTaskCreated | SCHEDULED_TASK_CREATION |
| ScheduledTaskDeleted | SCHEDULED_TASK_DELETION |
| all other Scheduled | SCHEDULED_TASK_MODIFICATION |
| ServiceInstalled | SERVICE_CREATION |
| AdvancedHunting-DeviceEvents | STATUS_UPDATE |
| AdvancedHunting-DeviceLogonEvents | USER_LOGIN |
| AdvancedHunting-CloudAppEvents | USER_RESOURCE_UPDATE_PERMISSIONS |
| all others | GENERIC_EVENT |
Log Sample¶
{ "time": "2023-07-19T14:51:08.0728746Z", "tenantId": "12345678-4321-6789-abcd-abcdef123456", "operationName": "Publish", "category": "AdvancedHunting-DeviceEvents", "properties": {"DeviceId":"7d4681d6d5bf2541322aa21f5fe5adeead9d56b3","DeviceName":"device.yourcompany.com","ReportId":12345,"Timestamp":"2023-07-19T14:48:07.3844632Z","InitiatingProcessId":4321,"InitiatingProcessCreationTime":"2023-07-19T05:40:15.2336088Z","InitiatingProcessCommandLine":"svchost.exe -k netsvcs -p -s ProfSvc","InitiatingProcessParentFileName":"services.exe","InitiatingProcessParentId":321,"InitiatingProcessParentCreationTime":"2023-07-19T05:40:13.9523211Z","InitiatingProcessSHA1":"123456789abcdef123456789abcdef9876543210","InitiatingProcessMD5":"9876543210fedcba9876543210fedcba","InitiatingProcessFileName":"svchost.exe","InitiatingProcessFolderPath":"c:\\windows\\system32\\svchost.exe","InitiatingProcessAccountName":"system","InitiatingProcessAccountDomain":"nt authority","SHA1":"123456789abcdef987654321657854abcdefabcd","MD5":"987654321456987abcdefabcde548632","FileName":"04-1 - NetworkStatus.lnk","FolderPath":"C:\\Users\\{USER}\\AppData\\Local\\Microsoft\\Windows\\WinX\\Group3","AccountName":null,"AccountDomain":null,"AdditionalFields":"{\"FileSizeInBytes\":1234,\"VolumeGuidPath\":\"\\\\\\\\?\\\\Volume{12345678-abcd-4321-9876-abcdef123456}\",\"IsOnRemovableMedia\":false,\"ShellLinkIconPath\":\"%windir%\\\\ImmersiveControlPanel\\\\systemsettings.exe\",\"ShellLinkCommandLine\":\"page=SettingsPageNetworkStatus\",\"ShellLinkRunAsAdmin\":false,\"ShellLinkShowCommand\":\"SW_SHOWNORMAL\"}","InitiatingProcessAccountSid":"S-1-5-18","AppGuardContainerId":"","InitiatingProcessSHA256":"321654987654321abcdefabcdefdcaefbadce987654321123456789abcdefabc","SHA256":"abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890","RemoteUrl":null,"ProcessCreationTime":"2023-07-19T14:48:07.3641456Z","ProcessTokenElevation":null,"ActionType":"ShellLinkCreateFileEvent","FileOriginUrl":null,"FileOriginIP":null,"InitiatingProcessLogonId":0,"AccountSid":null,"RemoteDeviceName":null,"RegistryKey":null,"RegistryValueName":null,"RegistryValueData":null,"LogonId":null,"LocalIP":null,"LocalPort":null,"RemoteIP":null,"RemotePort":null,"ProcessId":null,"ProcessCommandLine":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"FileSize":null,"InitiatingProcessFileSize":65421,"InitiatingProcessVersionInfoCompanyName":"Microsoft Corporation","InitiatingProcessVersionInfoProductName":"Microsoftâ–ˇ Windowsâ–ˇ Operating System","InitiatingProcessVersionInfoProductVersion":"10.0.17763.3346","InitiatingProcessVersionInfoInternalFileName":"svchost.exe","InitiatingProcessVersionInfoOriginalFileName":"svchost.exe","InitiatingProcessVersionInfoFileDescription":"Host Process for Windows Services","MachineGroup":"Fusion Servers"}, "Tenant": "DefaultTenant"}
Sample Parsing¶
about[0].labels[0].key"AdditionalFields"
about[0].labels[0].value"{\"FileSizeInBytes\":1234,\"VolumeGuidPath\":\"\\\\\\\\?\\\\Volume{12345678-abcd-4321-9876-abcdef123456}\",\"IsOnRemovableMedia\":false,\"ShellLinkIconPath\":\"%windir%\\\\ImmersiveControlPanel\\\\systemsettings.exe\",\"ShellLinkCommandLine\":\"page=SettingsPageNetworkStatus\",\"ShellLinkRunAsAdmin\":false,\"ShellLinkShowCommand\":\"SW_SHOWNORMAL\"}"
metadata.event_timestamp"2023-07-19T14:51:08.0728746Z"
metadata.event_type"STATUS_UPDATE"
metadata.product_event_type"ShellLinkCreateFileEvent"
metadata.product_log_id"12345"
metadata.product_name"AdvancedHunting-DeviceEvents"
metadata.vendor_name"Microsoft"
observer.cloud.project.id"12345678-4321-6789-abcd-abcdef123456"
principal.administrative_domain"nt authority"
principal.hostname"device"
principal.process.command_line"svchost.exe -k netsvcs -p -s ProfSvc"
principal.process.file.full_path"c:\windows\system32\svchost.exe"
principal.process.file.md5"987654321456987abcdefabcde548632"
principal.process.file.sha1"123456789abcdef987654321657854abcdefabcd"
principal.process.file.sha256"abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"
principal.process.parent_process.file.full_path"services.exe"
principal.process.parent_process.pid"321"
principal.process.pid"4321"
principal.user.userid"system"
principal.user.windows_sid"S-1-5-18"
security_result[0].summary"ShellLinkCreateFileEvent"
target.file.full_path"C:\Users\Carmelita.Flores\AppData\Local\Microsoft\Windows\WinX\Group3"
target.process.file.full_path"04-1 - NetworkStatus.lnk"
target.process.file.md5"987654321456987abcdefabcde548632"
target.process.file.sha1"123456789abcdef987654321657854abcdefabcd"
target.process.file.sha256"abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890"