MicrosoftDefenderXDR: extract additional fields for Alert Evidence #1393

squioc · 2024-12-12T11:39:57Z

No description provided.

github-actions · 2024-12-12T11:40:27Z

Smart descriptions generated from the latest tests at 2024-12-17 10:38:22:

Test File	Smart Description
Microsoft/microsoft-365-defender/tests/test_additional_fields_error1.json	A new `Send` cloud app event have been received
Microsoft/microsoft-365-defender/tests/test_alert_evidence.json	New alert `Executable content from email blocked` with `Low` severity detected by `Microsoft Defender for Endpoint`
Microsoft/microsoft-365-defender/tests/test_alert_evidence_2.json	New alert `Phish delivered due to an IP allow policy` with `Informational` severity detected by `Microsoft Defender for Office 365`
Microsoft/microsoft-365-defender/tests/test_alert_evidence_3.json	New alert `PhishdeliveredduetoanETRoverride` with `Informational` severity detected by `MicrosoftDefenderforOffice365`
Microsoft/microsoft-365-defender/tests/test_cloud_app.json	New `AirInvestigationData` incident received: `Mail with malicious file is zapped - urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd`
Microsoft/microsoft-365-defender/tests/test_cloud_app2.json	New `AirInvestigationData` incident received: `Mail with malicious file is zapped - urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd`
Microsoft/microsoft-365-defender/tests/test_cloud_app3.json	A new `MailItemsAccessed` cloud app event have been received
Microsoft/microsoft-365-defender/tests/test_cloud_app4.json	A new `MessageReadReceiptReceived` cloud app event have been received
Microsoft/microsoft-365-defender/tests/test_connection_acknowledged.json	`5.6.7.8` connected to `1.2.3.4`
Microsoft/microsoft-365-defender/tests/test_connection_attempt.json	`5.6.7.8` connected to `1.2.3.4`
Microsoft/microsoft-365-defender/tests/test_detection_source.json	New alert `'Lodi' unwanted software was prevented` with `Informational` severity detected by `Microsoft Defender for Endpoint`
Microsoft/microsoft-365-defender/tests/test_device_event.json	`software_reporter_tool.exe` executed on `test.lab`
Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json	`browser.exe` executed on `user.company.local`
Microsoft/microsoft-365-defender/tests/test_device_events_2.json	Script with hash `9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08` ran on `computer.intranet.example`
Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json	`outlook.exe` executed on `device.company.fr`
Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json	`powershell.exe` executed on `device.name.fr`
Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json	`winword.exe` executed on `user.company.local`
Microsoft/microsoft-365-defender/tests/test_device_file_certificate_info.json	Verification of the certificate issued by `Microsoft Windows Production PCA 2011`
Microsoft/microsoft-365-defender/tests/test_device_file_event.json	`OneDriveSetup.exe` executed on `test.lab`
Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json	`commandexec.exe` executed on `device.company.local`
Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json	`autosync.exe` executed on `test.lab`
Microsoft/microsoft-365-defender/tests/test_device_info_event_add_join.json	`Workstation` `ml-002` from `UnassignedGroup` onboarded: `AAD Joined`
Microsoft/microsoft-365-defender/tests/test_device_info_event_hybrid_join.json	`Workstation` `ml-002` from `Windows 10 - remediate threats automatically` onboarded: `Hybrid Azure AD Join`
Microsoft/microsoft-365-defender/tests/test_device_logon_events.json	`window manager``dwm-3`logged on`ml022`
Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json	`domain``account`failed to log on`domain`
Microsoft/microsoft-365-defender/tests/test_device_network_connection.json	`1.2.3.4` connected to `5.6.7.8`
Microsoft/microsoft-365-defender/tests/test_device_network_events.json	`1.2.3.4` connected to `5.6.7.8`
Microsoft/microsoft-365-defender/tests/test_device_network_info.json	`Guest` interface `{B844C2B6-E379-47C8-A28B-784DF7D3D731}` on `ml022` is `Down`
Microsoft/microsoft-365-defender/tests/test_device_process_created.json	Process created using WMI query on `desktop01.example.org`
Microsoft/microsoft-365-defender/tests/test_device_process_events.json	`MpCmdRun.exe` executed on `ml022`
Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json	`ps` executed on `computer.intranet.example`
Microsoft/microsoft-365-defender/tests/test_device_registry_events.json	`omadmclient.exe` executed on `ml022`
Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json	Script with hash `9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08` ran on `computer.intranet.example`
Microsoft/microsoft-365-defender/tests/test_email_attachment_info.json	Email attachment `Outlook-it5xo44r.jpg` with hash `114bd151f8fb0c58642d2170da4ae7d7c57977260ac2cc8905306cab6b2acabc` from `[email protected]` to `[email protected]`
Microsoft/microsoft-365-defender/tests/test_email_delivered.json	`Delivered` email from `[email protected]` to `[email protected]`
Microsoft/microsoft-365-defender/tests/test_email_delivered2.json	`Delivered` email from `[email protected]` to `[email protected]`
Microsoft/microsoft-365-defender/tests/test_email_events.json	`software_reporter_tool.exe` executed on `test.lab`
Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json	`Moved to quarantine` email for `[email protected]`
Microsoft/microsoft-365-defender/tests/test_email_url_info.json	`software_reporter_tool.exe` executed on `test.lab`
Microsoft/microsoft-365-defender/tests/test_email_url_info_2.json	`https://example.com/index.php?q=some+stuff` is in an email
Microsoft/microsoft-365-defender/tests/test_identity_directory.json	`software_reporter_tool.exe` executed on `test.lab`
Microsoft/microsoft-365-defender/tests/test_identity_info.json	`software_reporter_tool.exe` executed on `test.lab`
Microsoft/microsoft-365-defender/tests/test_identity_info_2.json	Identity info about `123456`(`DOE John`)
Microsoft/microsoft-365-defender/tests/test_identity_logon.json	`software_reporter_tool.exe` executed on `test.lab`
Microsoft/microsoft-365-defender/tests/test_identity_logon_2.json	`LogonSuccess` for `john.doe` using `NULL`
Microsoft/microsoft-365-defender/tests/test_identity_logon_3.json	`LogonSuccess` for `johndoe` using `Ntlm`
Microsoft/microsoft-365-defender/tests/test_identity_query.json	Identity query: `NtAllocateVirtualMemoryApiCall` from `1.2.3.4` on `test.lab`(`5.6.7.8`)
Microsoft/microsoft-365-defender/tests/test_identity_query_2.json	Identity query: `DNS query` from `5.6.7.8` on `SRV-FILES`(`1.2.3.4`)
Microsoft/microsoft-365-defender/tests/test_inbound_connection_attempt.json	`1.2.3.4` connected to `5.6.7.8`
Microsoft/microsoft-365-defender/tests/test_local_ip.json	`software_reporter_tool.exe` executed on `test.lab`
Microsoft/microsoft-365-defender/tests/test_process_error.json	`grep` executed on `testDevice`
Microsoft/microsoft-365-defender/tests/test_url_click_events.json	`ClickAllowed` on `https://example.com/index.php?q=some+stuff`

TOUFIKIzakarya

LGFM

squioc added the enhancement New feature or request label Dec 12, 2024

squioc requested a review from a team December 12, 2024 11:39

fix(MicrosoftDefenderXDR): extract additional fields for Alert Evidence

5c29f4c

squioc force-pushed the fix/MicrosoftDefenderXDRAlertEvidence branch from 2713b35 to 5c29f4c Compare December 12, 2024 11:41

TOUFIKIzakarya approved these changes Dec 17, 2024

View reviewed changes

squioc added 2 commits December 17, 2024 11:23

Merge branch 'main' into fix/MicrosoftDefenderXDRAlertEvidence

ce86d9f

Merge branch 'main' into fix/MicrosoftDefenderXDRAlertEvidence

36aff2a

squioc merged commit 8228a42 into main Dec 17, 2024
7 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MicrosoftDefenderXDR: extract additional fields for Alert Evidence #1393

MicrosoftDefenderXDR: extract additional fields for Alert Evidence #1393

squioc commented Dec 12, 2024

github-actions bot commented Dec 12, 2024 •

edited

Loading

TOUFIKIzakarya left a comment

MicrosoftDefenderXDR: extract additional fields for Alert Evidence #1393

MicrosoftDefenderXDR: extract additional fields for Alert Evidence #1393

Conversation

squioc commented Dec 12, 2024

github-actions bot commented Dec 12, 2024 • edited Loading

TOUFIKIzakarya left a comment

Choose a reason for hiding this comment

github-actions bot commented Dec 12, 2024 •

edited

Loading