-
Notifications
You must be signed in to change notification settings - Fork 375
/
sample_event.json
111 lines (111 loc) · 3.26 KB
/
sample_event.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
{
"@timestamp": "2023-09-22T03:31:55.887Z",
"agent": {
"ephemeral_id": "20bd2ad7-6c7e-4d34-9d55-57edc09ba1a6",
"id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.8.1"
},
"cloud": {
"account": {
"id": "a839b112-1253-6432-9bf6-94542403f21c"
},
"instance": {
"id": "111e6dd8c833c8a052ea231ec1b19adaf497b625"
},
"provider": "azure"
},
"data_stream": {
"dataset": "microsoft_defender_endpoint.log",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.10.0"
},
"elastic_agent": {
"id": "a4d1a8b2-b45c-4d97-a37a-bd371f13111b",
"snapshot": false,
"version": "8.8.1"
},
"event": {
"action": "Execution",
"agent_id_status": "verified",
"category": [
"host"
],
"created": "2021-01-26T20:33:57.7220239Z",
"dataset": "microsoft_defender_endpoint.log",
"duration": 101466100,
"end": "2021-01-26T20:31:33.0577322Z",
"id": "da637472900382838869_1364969609",
"ingested": "2023-09-22T03:31:58Z",
"kind": "alert",
"provider": "defender_endpoint",
"severity": 2,
"start": "2021-01-26T20:31:32.9562661Z",
"timezone": "UTC",
"type": [
"access",
"start"
]
},
"host": {
"hostname": "temp123.middleeast.corp.microsoft.com",
"name": "temp123.middleeast.corp.microsoft.com"
},
"input": {
"type": "httpjson"
},
"message": "Low-reputation arbitrary code executed by signed executable",
"microsoft": {
"defender_endpoint": {
"evidence": {
"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
"accountName": "name",
"domainName": "DOMAIN",
"entityType": "User",
"userPrincipalName": "temp123@microsoft.com"
},
"incidentId": "1126093",
"investigationState": "Queued",
"lastUpdateTime": "2021-01-26T20:33:59.2Z",
"rbacGroupName": "A",
"status": "New"
}
},
"observer": {
"name": "WindowsDefenderAtp",
"product": "Defender for Endpoint",
"vendor": "Microsoft"
},
"related": {
"hosts": [
"temp123.middleeast.corp.microsoft.com"
],
"user": [
"temp123"
]
},
"rule": {
"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C\u0026C) server."
},
"tags": [
"microsoft-defender-endpoint",
"forwarded"
],
"threat": {
"framework": "MITRE ATT\u0026CK",
"technique": {
"name": [
"Execution"
]
}
},
"user": {
"domain": "DOMAIN",
"id": "S-1-5-21-11111607-1111760036-109187956-75141",
"name": "temp123"
}
}