Windows Defender ATP¶
About¶
Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.
Product Details¶
Vendor URL: Windows Defender ATP
Product Type: EDR
Product Tier: Tier I
Integration Method: Custom
Integration URL: Defender for Endpoint Raw Data Streaming API
Log Guide: Windows Event Log Reference
Parser Details¶
Log Format: JSON, Syslog, and XML
Expected Normalization Rate: 80%
Data Label: WINDOWS_DEFENDER_ATP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| category | metadata.product_event_type |
| operationName | metadata.description |
| properties.AccountDomain | principal.administrative_domain |
| properties.AccountName | principal.user.userid |
| properties.AccountSid | principal.user.windows_sid |
| properties.ActionType | security_result.action_details |
| properties.CertificateSerialNumber | network.tls.client.certificate.serial |
| properties.ClientVersion | principal.asset.software.version |
| properties.DeviceId | principal.asset_id |
| properties.DeviceName | principal.hostname |
| properties.DnsAddresses | network.dns.authority.name |
| properties.FileSize | target.file.size |
| properties.FolderPath | target.process.file.full_path |
| properties.InitiatingProcessAccountDomain | principal.administrative_domain |
| properties.InitiatingProcessAccountName | principal.user.userid |
| properties.InitiatingProcessAccountSid | principal.user.windows_sid |
| properties.InitiatingProcessAccountUpn | principal.user.user_display_name |
| properties.InitiatingProcessCommandLine | principal.process.command_line |
| properties.InitiatingProcessFileSize | principal.process.file.size |
| properties.InitiatingProcessFolderPath | principal.process.file.full_path |
| properties.InitiatingProcessId | principal.process.pid |
| properties.InitiatingProcessMD5 | principal.process.file.md5 |
| properties.InitiatingProcessParentId | principal.process.parent_pid |
| properties.InitiatingProcessSHA1 | principal.process.file.sha1 |
| properties.InitiatingProcessSHA256 | principal.process.file.sha256 |
| properties.IPAddresses | principal.ip |
| properties.IPv4Dhcp | network.dhcp.ciaddr |
| properties.Issuer | network.tls.client.certificate.issuer |
| properties.LocalIP | principal.ip |
| properties.LocalPort | principal.port |
| properties.LoggedOnUsers.DomainName | principal.administrative_domain |
| properties.LoggedOnUsers.Sid | principal.user.windows_sid |
| properties.LoggedOnUsers.UserName | principal.user.userid |
| properties.MacAddress | principal.mac |
| properties.PreviousRegistryKey | src.registry.registry_key |
| properties.PreviousRegistryValueData | src.registry.registry_value_data |
| properties.PreviousRegistryValueName | src.registry.registry_value_name |
| properties.ProcessCommandLine | target.process.command_line |
| properties.Protocol | extensions.auth.auth_details |
| properties.PublicIP | principal.nat_ip |
| properties.RegistryKey | target.registry.registry_key |
| properties.RegistryValueData | target.registry.registry_value_data |
| properties.RegistryValueName | target.registry.registry_value_name |
| properties.RemoteIP | target.ip |
| properties.RemotePort | target.port |
| properties.RemoteUrl | target.url |
| properties.SHA1 | network.tls.client.certificate.sha1 |
| properties.SignerHash | network.tls.client.certificate.sha256 |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all other | GENERIC_EVENT |
| DeviceLogonEvents | USER_UNCATEGORIZED |
| DeviceNetworkEvents | NETWORK_CONNECTION,GENERIC_EVENT |
| DeviceProcessEvents | PROCESS_UNCATEGORIZED |
Log Sample¶
{"category":"AdvancedHunting-DeviceLogonEvents","operationName":"Publish","properties":{"AccountDomain":"domain","AccountName":"svc","AccountSid":"sid","ActionType":"LogonSuccess","AdditionalFields":"{\"IsLocalLogon\":false}","AppGuardContainerId":"","DeviceId":"devid","DeviceName":"n.domain.com","FailureReason":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessFolderPath":null,"InitiatingProcessId":0,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessMD5":null,"InitiatingProcessParentCreationTime":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId":0,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessTokenElevation":"None","InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"IsLocalAdmin":null,"LogonId":logon,"LogonType":"Network","MachineGroup":null,"Protocol":"NTLM","RemoteDeviceName":"device","RemoteIP":"10.10.10.10","RemoteIPType":"Private","RemotePort":39387,"ReportId":26156,"Timestamp":"2021-09-30T12:54:53.1498857Z"},"tenantId":"redacted","time":"2021-09-30T12:57:43.3391759Z"}
Sample Parsing¶
metadata.event_timestamp = "2021-10-01T13:32:27.157242Z"
metadata.event_type = "USER_UNCATEGORIZED"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Windows Defender ATP"
metadata.product_event_type = "AdvancedHunting-DeviceLogonEvents"
metadata.description = "Publish"
metadata.ingested_timestamp = "2021-10-01T13:32:27.157242Z"
principal.hostname = "n.domain.com"
principal.asset_id = "WD:devid"
principal.user.userid = "svc"
principal.user.windows_sid = "sid"
principal.process.pid = "0"
principal.process.parent_pid = "0"
principal.administrative_domain = "domain"
principal.asset.asset_id = "WD:devid"
target.ip = "10.10.10.10"
target.port = 39387
target.asset.ip = "10.10.10.10"
security_result.action_details = "LogonSuccess"
extensions.auth.auth_details = "NTLM"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon