diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index f6b1666c6c..165692fb02 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -69,45 +69,146 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib
category| String | Category of the alert.
detectionSource | String | Detection source.
threatFamilyName | String | Threat family.
+threatName | String | Threat name.
+threatName | String | Threat name.
machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
computerDnsName | String | [machine](machine.md) fully qualified name.
aadTenantId | String | The Azure Active Directory ID.
-comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
+detectorId | String | The ID of the detector that triggered the alert.
+comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time.
+Evidence | List of Alert evidence | Evidence related to the alert. See example below.
### Response example for getting single alert:
```
-GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499
+GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
```
```json
{
- "id": "da637084217856368682_-292920499",
- "incidentId": 66860,
- "investigationId": 4416234,
- "investigationState": "Running",
- "assignedTo": "secop@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "detectionSource": "WindowsDefenderAtp",
- "category": "CommandAndControl",
- "threatFamilyName": null,
- "title": "Network connection to a risky host",
- "description": "A network connection was made to a risky host which has exhibited malicious activity.",
- "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
- "firstEventTime": "2019-11-03T23:47:16.2288822Z",
- "lastEventTime": "2019-11-03T23:47:51.2966758Z",
- "lastUpdateTime": "2019-11-03T23:55:52.6Z",
- "resolvedTime": null,
- "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
- "comments": [
- {
- "comment": "test comment for docs",
- "createdBy": "secop@contoso.com",
- "createdTime": "2019-11-05T14:08:37.8404534Z"
- }
- ]
+ "id": "da637472900382838869_1364969609",
+ "incidentId": 1126093,
+ "investigationId": null,
+ "assignedTo": null,
+ "severity": "Low",
+ "status": "New",
+ "classification": null,
+ "determination": null,
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+ "category": "Execution",
+ "threatFamilyName": null,
+ "title": "Low-reputation arbitrary code executed by signed executable",
+ "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+ "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+ "firstEventTime": "2021-01-26T20:31:32.9562661Z",
+ "lastEventTime": "2021-01-26T20:31:33.0577322Z",
+ "lastUpdateTime": "2021-01-26T20:33:59.2Z",
+ "resolvedTime": null,
+ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "A",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
+ "relatedUser": {
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
+ "comments": [
+ {
+ "comment": "test comment for docs",
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2021-01-26T01:00:37.8404534Z"
+ }
+ ],
+ "evidence": [
+ {
+ "entityType": "User",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": null,
+ "sha256": null,
+ "fileName": null,
+ "filePath": null,
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": "eranb",
+ "domainName": "MIDDLEEAST",
+ "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+ "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+ "userPrincipalName": "temp123@microsoft.com",
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+ "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+ "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+ "fileName": "rundll32.exe",
+ "filePath": "C:\\Windows\\SysWOW64",
+ "processId": 3276,
+ "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
+ "processCreationTime": "2021-01-26T20:31:32.9581596Z",
+ "parentProcessId": 8420,
+ "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+ "parentProcessFileName": "rundll32.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+ "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+ "fileName": "suspicious.dll",
+ "filePath": "c:\\temp",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ }
+ ]
}
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
index 8200dc8a47..51e3dc8790 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
@@ -41,7 +41,8 @@ ms.technology: mde
### 03.01.2021
-- Update Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName***.
+- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties.
+- Updated [Alert entity](alerts.md): added ***detectorId*** property.
@@ -49,15 +50,16 @@ ms.technology: mde
### 15.12.2020
-- Updated [Device](machine.md) entity with IP Interfaces. See [List devices](get-machines.md).
+- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).
-### 04.12.2020
+### 04.11.2020
- Added new API: [Set device value](set-device-value.md).
+- Updated [Device](machine.md) entity: added ***deviceValue*** property.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 589c3508f8..504f3e3b49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -57,75 +57,51 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637306396589640224_1753239473",
- "incidentId": 875832,
- "investigationId": 478434,
+ "id": "da637472900382838869_1364969609",
+ "incidentId": 1126093,
+ "investigationId": null,
"assignedTo": null,
"severity": "Low",
"status": "New",
"classification": null,
"determination": null,
- "investigationState": "PendingApproval",
- "detectionSource": "WindowsDefenderAv",
- "category": "UnwantedSoftware",
- "threatFamilyName": "InstallCore",
- "title": "An active 'InstallCore' unwanted software was detected",
- "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
- "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
- "firstEventTime": "2020-07-18T03:25:39.6124549Z",
- "lastEventTime": "2020-07-18T03:26:18.4362304Z",
- "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+ "category": "Execution",
+ "threatFamilyName": null,
+ "title": "Low-reputation arbitrary code executed by signed executable",
+ "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+ "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+ "firstEventTime": "2021-01-26T20:31:32.9562661Z",
+ "lastEventTime": "2021-01-26T20:31:33.0577322Z",
+ "lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null,
- "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
- "computerDnsName": "temp2.redmond.corp.microsoft.com",
- "rbacGroupName": "Ring0",
- "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "A",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
- "userName": "temp2",
- "domainName": "REDMOND"
- },
- "comments": [],
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
+ "comments": [
+ {
+ "comment": "test comment for docs",
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2021-01-26T01:00:37.8404534Z"
+ }
+ ],
"evidence": [
- {
- "entityType": "File",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
- {
- "entityType": "Process",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": 24348,
- "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
- "processCreationTime": "2020-07-18T03:25:38.5269993Z",
- "parentProcessId": 16840,
- "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
{
"entityType": "User",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
@@ -135,13 +111,74 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
"ipAddress": null,
"url": null,
- "accountName": "temp2",
- "domainName": "REDMOND",
- "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
- "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
- "userPrincipalName": "temp2@microsoft.com"
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": "eranb",
+ "domainName": "MIDDLEEAST",
+ "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+ "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+ "userPrincipalName": "temp123@microsoft.com",
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+ "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+ "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+ "fileName": "rundll32.exe",
+ "filePath": "C:\\Windows\\SysWOW64",
+ "processId": 3276,
+ "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
+ "processCreationTime": "2021-01-26T20:31:32.9581596Z",
+ "parentProcessId": 8420,
+ "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+ "parentProcessFileName": "rundll32.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+ "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+ "fileName": "suspicious.dll",
+ "filePath": "c:\\temp",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
}
]
},
@@ -188,6 +225,12 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "MiddleEast",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
"userName": "temp123",
"domainName": "MIDDLEEAST"
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index eb0067b2ba..47af279049 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -128,6 +128,12 @@ Here is an example of the response.
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "MiddleEast",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
"userName": "temp123",
"domainName": "MIDDLEEAST"
@@ -170,75 +176,51 @@ Here is an example of the response.
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637306396589640224_1753239473",
- "incidentId": 875832,
- "investigationId": 478434,
+ "id": "da637472900382838869_1364969609",
+ "incidentId": 1126093,
+ "investigationId": null,
"assignedTo": null,
"severity": "Low",
"status": "New",
"classification": null,
"determination": null,
- "investigationState": "PendingApproval",
- "detectionSource": "WindowsDefenderAv",
- "category": "UnwantedSoftware",
- "threatFamilyName": "InstallCore",
- "title": "An active 'InstallCore' unwanted software was detected",
- "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
- "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
- "firstEventTime": "2020-07-18T03:25:39.6124549Z",
- "lastEventTime": "2020-07-18T03:26:18.4362304Z",
- "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAtp",
+ "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+ "category": "Execution",
+ "threatFamilyName": null,
+ "title": "Low-reputation arbitrary code executed by signed executable",
+ "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+ "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+ "firstEventTime": "2021-01-26T20:31:32.9562661Z",
+ "lastEventTime": "2021-01-26T20:31:33.0577322Z",
+ "lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null,
- "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
- "computerDnsName": "temp2.redmond.corp.microsoft.com",
- "rbacGroupName": "Ring0",
- "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "A",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "threatName": null,
+ "mitreTechniques": [
+ "T1064",
+ "T1085",
+ "T1220"
+ ],
"relatedUser": {
- "userName": "temp2",
- "domainName": "REDMOND"
- },
- "comments": [],
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
+ "comments": [
+ {
+ "comment": "test comment for docs",
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2021-01-26T01:00:37.8404534Z"
+ }
+ ],
"evidence": [
- {
- "entityType": "File",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
- {
- "entityType": "Process",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": 24348,
- "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
- "processCreationTime": "2020-07-18T03:25:38.5269993Z",
- "parentProcessId": 16840,
- "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
{
"entityType": "User",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
@@ -248,13 +230,74 @@ Here is an example of the response.
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
"ipAddress": null,
"url": null,
- "accountName": "temp2",
- "domainName": "REDMOND",
- "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
- "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
- "userPrincipalName": "temp2@microsoft.com"
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": "eranb",
+ "domainName": "MIDDLEEAST",
+ "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+ "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+ "userPrincipalName": "temp123@microsoft.com",
+ "detectionStatus": null
+ },
+ {
+ "entityType": "Process",
+ "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+ "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+ "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+ "fileName": "rundll32.exe",
+ "filePath": "C:\\Windows\\SysWOW64",
+ "processId": 3276,
+ "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
+ "processCreationTime": "2021-01-26T20:31:32.9581596Z",
+ "parentProcessId": 8420,
+ "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+ "parentProcessFileName": "rundll32.exe",
+ "parentProcessFilePath": "C:\\Windows\\System32",
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
+ },
+ {
+ "entityType": "File",
+ "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+ "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+ "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+ "fileName": "suspicious.dll",
+ "filePath": "c:\\temp",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "parentProcessFileName": null,
+ "parentProcessFilePath": null,
+ "ipAddress": null,
+ "url": null,
+ "registryKey": null,
+ "registryHive": null,
+ "registryValueType": null,
+ "registryValue": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null,
+ "detectionStatus": "Detected"
}
]
},