1

windows/security/threat-protection/microsoft-defender-atp/alerts.md

@@ -69,45 +69,146 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib
 category| String | Category of the alert.
 detectionSource | String | Detection source.
 threatFamilyName | String | Threat family.
+threatName | String | Threat name.
+threatName | String | Threat name.
 machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
 computerDnsName | String | [machine](machine.md) fully qualified name.
 aadTenantId | String | The Azure Active Directory ID.
-comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
+detectorId | String | The ID of the detector that triggered the alert.
+comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time.
+Evidence | List of Alert evidence | Evidence related to the alert. See example below.
 
 ### Response example for getting single alert:
 
 ```
-GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499
+GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
 ```
 
 ```json
 {
-    "id": "da637084217856368682_-292920499",
-    "incidentId": 66860,
-    "investigationId": 4416234,
-    "investigationState": "Running",
-    "assignedTo": "secop@contoso.com",
-    "severity": "Low",
-    "status": "New",
-    "classification": "TruePositive",
-    "determination": null,
-    "detectionSource": "WindowsDefenderAtp",
-    "category": "CommandAndControl",
-    "threatFamilyName": null,
-    "title": "Network connection to a risky host",
-    "description": "A network connection was made to a risky host which has exhibited malicious activity.",
-    "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
-    "firstEventTime": "2019-11-03T23:47:16.2288822Z",
-    "lastEventTime": "2019-11-03T23:47:51.2966758Z",
-    "lastUpdateTime": "2019-11-03T23:55:52.6Z",
-    "resolvedTime": null,
-    "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
-    "comments": [
-        {
-            "comment": "test comment for docs",
-            "createdBy": "secop@contoso.com",
-            "createdTime": "2019-11-05T14:08:37.8404534Z"
-        }
-    ]
+	"id": "da637472900382838869_1364969609",
+	"incidentId": 1126093,
+	"investigationId": null,
+	"assignedTo": null,
+	"severity": "Low",
+	"status": "New",
+	"classification": null,
+	"determination": null,
+	"investigationState": "Queued",
+	"detectionSource": "WindowsDefenderAtp",
+	"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+	"category": "Execution",
+	"threatFamilyName": null,
+	"title": "Low-reputation arbitrary code executed by signed executable",
+	"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+	"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+	"firstEventTime": "2021-01-26T20:31:32.9562661Z",
+	"lastEventTime": "2021-01-26T20:31:33.0577322Z",
+	"lastUpdateTime": "2021-01-26T20:33:59.2Z",
+	"resolvedTime": null,
+	"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+	"computerDnsName": "temp123.middleeast.corp.microsoft.com",
+	"rbacGroupName": "A",
+    "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+	"threatName": null,
+	"mitreTechniques": [
+		"T1064",
+		"T1085",
+		"T1220"
+	],
+	"relatedUser": {
+        "userName": "temp123",
+        "domainName": "MIDDLEEAST"
+    },
+	"comments": [
+		{
+			"comment": "test comment for docs",
+			"createdBy": "secop123@contoso.com",
+			"createdTime": "2021-01-26T01:00:37.8404534Z"
+		}
+	],
+	"evidence": [
+		{
+			"entityType": "User",
+			"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+			"sha1": null,
+			"sha256": null,
+			"fileName": null,
+			"filePath": null,
+			"processId": null,
+			"processCommandLine": null,
+			"processCreationTime": null,
+			"parentProcessId": null,
+			"parentProcessCreationTime": null,
+			"parentProcessFileName": null,
+			"parentProcessFilePath": null,
+			"ipAddress": null,
+			"url": null,
+			"registryKey": null,
+			"registryHive": null,
+			"registryValueType": null,
+			"registryValue": null,
+			"accountName": "eranb",
+			"domainName": "MIDDLEEAST",
+			"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+			"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+			"userPrincipalName": "temp123@microsoft.com",
+			"detectionStatus": null
+		},
+		{
+			"entityType": "Process",
+			"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+			"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+			"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+			"fileName": "rundll32.exe",
+			"filePath": "C:\\Windows\\SysWOW64",
+			"processId": 3276,
+			"processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
+			"processCreationTime": "2021-01-26T20:31:32.9581596Z",
+			"parentProcessId": 8420,
+			"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+			"parentProcessFileName": "rundll32.exe",
+			"parentProcessFilePath": "C:\\Windows\\System32",
+			"ipAddress": null,
+			"url": null,
+			"registryKey": null,
+			"registryHive": null,
+			"registryValueType": null,
+			"registryValue": null,
+			"accountName": null,
+			"domainName": null,
+			"userSid": null,
+			"aadUserId": null,
+			"userPrincipalName": null,
+			"detectionStatus": "Detected"
+		},
+		{
+			"entityType": "File",
+			"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+			"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+			"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+			"fileName": "suspicious.dll",
+			"filePath": "c:\\temp",
+			"processId": null,
+			"processCommandLine": null,
+			"processCreationTime": null,
+			"parentProcessId": null,
+			"parentProcessCreationTime": null,
+			"parentProcessFileName": null,
+			"parentProcessFilePath": null,
+			"ipAddress": null,
+			"url": null,
+			"registryKey": null,
+			"registryHive": null,
+			"registryValueType": null,
+			"registryValue": null,
+			"accountName": null,
+			"domainName": null,
+			"userSid": null,
+			"aadUserId": null,
+			"userPrincipalName": null,
+			"detectionStatus": "Detected"
+		}
+	]
 }
 ```

windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md

@@ -41,7 +41,8 @@ ms.technology: mde
 ### 03.01.2021
 <hr>
 
-- Update Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName***.
+- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties.
+- Updated [Alert entity](alerts.md): added ***detectorId*** property.
 
 <br>
 <br>
@@ -49,15 +50,16 @@ ms.technology: mde
 ### 15.12.2020
 <hr>
 
-- Updated [Device](machine.md) entity with IP Interfaces. See [List devices](get-machines.md).
+- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).
 
 <br>
 <br>
 
-### 04.12.2020
+### 04.11.2020
 <hr>
 
 - Added new API: [Set device value](set-device-value.md).
+- Updated [Device](machine.md) entity: added ***deviceValue*** property.
 
 <br>
 <br>

windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md

@@ -57,75 +57,51 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
     "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
     "value": [
 		{
-			"id": "da637306396589640224_1753239473",
-			"incidentId": 875832,
-			"investigationId": 478434,
+			"id": "da637472900382838869_1364969609",
+			"incidentId": 1126093,
+			"investigationId": null,
 			"assignedTo": null,
 			"severity": "Low",
 			"status": "New",
 			"classification": null,
 			"determination": null,
-			"investigationState": "PendingApproval",
-			"detectionSource": "WindowsDefenderAv",
-			"category": "UnwantedSoftware",
-			"threatFamilyName": "InstallCore",
-			"title": "An active 'InstallCore' unwanted software was detected",
-			"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
-			"alertCreationTime": "2020-07-18T03:27:38.9483995Z",
-			"firstEventTime": "2020-07-18T03:25:39.6124549Z",
-			"lastEventTime": "2020-07-18T03:26:18.4362304Z",
-			"lastUpdateTime": "2020-07-18T03:28:19.76Z",
+			"investigationState": "Queued",
+			"detectionSource": "WindowsDefenderAtp",
+			"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+			"category": "Execution",
+			"threatFamilyName": null,
+			"title": "Low-reputation arbitrary code executed by signed executable",
+			"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+			"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+			"firstEventTime": "2021-01-26T20:31:32.9562661Z",
+			"lastEventTime": "2021-01-26T20:31:33.0577322Z",
+			"lastUpdateTime": "2021-01-26T20:33:59.2Z",
 			"resolvedTime": null,
-			"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
-			"computerDnsName": "temp2.redmond.corp.microsoft.com",
-			"rbacGroupName": "Ring0",
-			"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+			"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+			"computerDnsName": "temp123.middleeast.corp.microsoft.com",
+			"rbacGroupName": "A",
+            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+			"threatName": null,
+			"mitreTechniques": [
+				"T1064",
+				"T1085",
+				"T1220"
+			],
 			"relatedUser": {
-				"userName": "temp2",
-				"domainName": "REDMOND"
-			},
-			"comments": [],
+                "userName": "temp123",
+                "domainName": "MIDDLEEAST"
+            },
+			"comments": [
+				{
+					"comment": "test comment for docs",
+					"createdBy": "secop123@contoso.com",
+					"createdTime": "2021-01-26T01:00:37.8404534Z"
+				}
+			],
 			"evidence": [
-				{
-					"entityType": "File",
-					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
-					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
-					"fileName": "Your File Is Ready To Download_1911150169.exe",
-					"filePath": "C:\\Users\\temp2\\Downloads",
-					"processId": null,
-					"processCommandLine": null,
-					"processCreationTime": null,
-					"parentProcessId": null,
-					"parentProcessCreationTime": null,
-					"ipAddress": null,
-					"url": null,
-					"accountName": null,
-					"domainName": null,
-					"userSid": null,
-					"aadUserId": null,
-					"userPrincipalName": null
-				},
-				{
-					"entityType": "Process",
-					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
-					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
-					"fileName": "Your File Is Ready To Download_1911150169.exe",
-					"filePath": "C:\\Users\\temp2\\Downloads",
-					"processId": 24348,
-					"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
-					"processCreationTime": "2020-07-18T03:25:38.5269993Z",
-					"parentProcessId": 16840,
-					"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
-					"ipAddress": null,
-					"url": null,
-					"accountName": null,
-					"domainName": null,
-					"userSid": null,
-					"aadUserId": null,
-					"userPrincipalName": null
-				},
 				{
 					"entityType": "User",
+					"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 					"sha1": null,
 					"sha256": null,
 					"fileName": null,
@@ -135,13 +111,74 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
 					"processCreationTime": null,
 					"parentProcessId": null,
 					"parentProcessCreationTime": null,
+					"parentProcessFileName": null,
+					"parentProcessFilePath": null,
 					"ipAddress": null,
 					"url": null,
-					"accountName": "temp2",
-					"domainName": "REDMOND",
-					"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
-					"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
-					"userPrincipalName": "temp2@microsoft.com"
+					"registryKey": null,
+					"registryHive": null,
+					"registryValueType": null,
+					"registryValue": null,
+					"accountName": "eranb",
+					"domainName": "MIDDLEEAST",
+					"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+					"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+					"userPrincipalName": "temp123@microsoft.com",
+					"detectionStatus": null
+				},
+				{
+					"entityType": "Process",
+					"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+					"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+					"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+					"fileName": "rundll32.exe",
+					"filePath": "C:\\Windows\\SysWOW64",
+					"processId": 3276,
+					"processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
+					"processCreationTime": "2021-01-26T20:31:32.9581596Z",
+					"parentProcessId": 8420,
+					"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+					"parentProcessFileName": "rundll32.exe",
+					"parentProcessFilePath": "C:\\Windows\\System32",
+					"ipAddress": null,
+					"url": null,
+					"registryKey": null,
+					"registryHive": null,
+					"registryValueType": null,
+					"registryValue": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null,
+					"detectionStatus": "Detected"
+				},
+				{
+					"entityType": "File",
+					"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+					"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+					"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+					"fileName": "suspicious.dll",
+					"filePath": "c:\\temp",
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"parentProcessFileName": null,
+					"parentProcessFilePath": null,
+					"ipAddress": null,
+					"url": null,
+					"registryKey": null,
+					"registryHive": null,
+					"registryValueType": null,
+					"registryValue": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null,
+					"detectionStatus": "Detected"
 				}
 			]
 		},
@@ -188,6 +225,12 @@ HTTP GET  https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
             "computerDnsName": "temp123.middleeast.corp.microsoft.com",
             "rbacGroupName": "MiddleEast",
             "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+			"threatName": null,
+			"mitreTechniques": [
+				"T1064",
+				"T1085",
+				"T1220"
+			],
             "relatedUser": {
                 "userName": "temp123",
                 "domainName": "MIDDLEEAST"

windows/security/threat-protection/microsoft-defender-atp/get-alerts.md

@@ -128,6 +128,12 @@ Here is an example of the response.
             "computerDnsName": "temp123.middleeast.corp.microsoft.com",
             "rbacGroupName": "MiddleEast",
             "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+			"threatName": null,
+			"mitreTechniques": [
+				"T1064",
+				"T1085",
+				"T1220"
+			],
             "relatedUser": {
                 "userName": "temp123",
                 "domainName": "MIDDLEEAST"
@@ -170,75 +176,51 @@ Here is an example of the response.
     "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
     "value": [
 		{
-			"id": "da637306396589640224_1753239473",
-			"incidentId": 875832,
-			"investigationId": 478434,
+			"id": "da637472900382838869_1364969609",
+			"incidentId": 1126093,
+			"investigationId": null,
 			"assignedTo": null,
 			"severity": "Low",
 			"status": "New",
 			"classification": null,
 			"determination": null,
-			"investigationState": "PendingApproval",
-			"detectionSource": "WindowsDefenderAv",
-			"category": "UnwantedSoftware",
-			"threatFamilyName": "InstallCore",
-			"title": "An active 'InstallCore' unwanted software was detected",
-			"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
-			"alertCreationTime": "2020-07-18T03:27:38.9483995Z",
-			"firstEventTime": "2020-07-18T03:25:39.6124549Z",
-			"lastEventTime": "2020-07-18T03:26:18.4362304Z",
-			"lastUpdateTime": "2020-07-18T03:28:19.76Z",
+			"investigationState": "Queued",
+			"detectionSource": "WindowsDefenderAtp",
+			"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
+			"category": "Execution",
+			"threatFamilyName": null,
+			"title": "Low-reputation arbitrary code executed by signed executable",
+			"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
+			"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
+			"firstEventTime": "2021-01-26T20:31:32.9562661Z",
+			"lastEventTime": "2021-01-26T20:31:33.0577322Z",
+			"lastUpdateTime": "2021-01-26T20:33:59.2Z",
 			"resolvedTime": null,
-			"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
-			"computerDnsName": "temp2.redmond.corp.microsoft.com",
-			"rbacGroupName": "Ring0",
-			"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+			"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
+			"computerDnsName": "temp123.middleeast.corp.microsoft.com",
+			"rbacGroupName": "A",
+            "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+			"threatName": null,
+			"mitreTechniques": [
+				"T1064",
+				"T1085",
+				"T1220"
+			],
 			"relatedUser": {
-				"userName": "temp2",
-				"domainName": "REDMOND"
-			},
-			"comments": [],
+                "userName": "temp123",
+                "domainName": "MIDDLEEAST"
+            },
+			"comments": [
+				{
+					"comment": "test comment for docs",
+					"createdBy": "secop123@contoso.com",
+					"createdTime": "2021-01-26T01:00:37.8404534Z"
+				}
+			],
 			"evidence": [
-				{
-					"entityType": "File",
-					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
-					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
-					"fileName": "Your File Is Ready To Download_1911150169.exe",
-					"filePath": "C:\\Users\\temp2\\Downloads",
-					"processId": null,
-					"processCommandLine": null,
-					"processCreationTime": null,
-					"parentProcessId": null,
-					"parentProcessCreationTime": null,
-					"ipAddress": null,
-					"url": null,
-					"accountName": null,
-					"domainName": null,
-					"userSid": null,
-					"aadUserId": null,
-					"userPrincipalName": null
-				},
-				{
-					"entityType": "Process",
-					"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
-					"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
-					"fileName": "Your File Is Ready To Download_1911150169.exe",
-					"filePath": "C:\\Users\\temp2\\Downloads",
-					"processId": 24348,
-					"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
-					"processCreationTime": "2020-07-18T03:25:38.5269993Z",
-					"parentProcessId": 16840,
-					"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
-					"ipAddress": null,
-					"url": null,
-					"accountName": null,
-					"domainName": null,
-					"userSid": null,
-					"aadUserId": null,
-					"userPrincipalName": null
-				},
 				{
 					"entityType": "User",
+					"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
 					"sha1": null,
 					"sha256": null,
 					"fileName": null,
@@ -248,13 +230,74 @@ Here is an example of the response.
 					"processCreationTime": null,
 					"parentProcessId": null,
 					"parentProcessCreationTime": null,
+					"parentProcessFileName": null,
+					"parentProcessFilePath": null,
 					"ipAddress": null,
 					"url": null,
-					"accountName": "temp2",
-					"domainName": "REDMOND",
-					"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
-					"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
-					"userPrincipalName": "temp2@microsoft.com"
+					"registryKey": null,
+					"registryHive": null,
+					"registryValueType": null,
+					"registryValue": null,
+					"accountName": "eranb",
+					"domainName": "MIDDLEEAST",
+					"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
+					"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
+					"userPrincipalName": "temp123@microsoft.com",
+					"detectionStatus": null
+				},
+				{
+					"entityType": "Process",
+					"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
+					"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
+					"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
+					"fileName": "rundll32.exe",
+					"filePath": "C:\\Windows\\SysWOW64",
+					"processId": 3276,
+					"processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
+					"processCreationTime": "2021-01-26T20:31:32.9581596Z",
+					"parentProcessId": 8420,
+					"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
+					"parentProcessFileName": "rundll32.exe",
+					"parentProcessFilePath": "C:\\Windows\\System32",
+					"ipAddress": null,
+					"url": null,
+					"registryKey": null,
+					"registryHive": null,
+					"registryValueType": null,
+					"registryValue": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null,
+					"detectionStatus": "Detected"
+				},
+				{
+					"entityType": "File",
+					"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
+					"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
+					"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
+					"fileName": "suspicious.dll",
+					"filePath": "c:\\temp",
+					"processId": null,
+					"processCommandLine": null,
+					"processCreationTime": null,
+					"parentProcessId": null,
+					"parentProcessCreationTime": null,
+					"parentProcessFileName": null,
+					"parentProcessFilePath": null,
+					"ipAddress": null,
+					"url": null,
+					"registryKey": null,
+					"registryHive": null,
+					"registryValueType": null,
+					"registryValue": null,
+					"accountName": null,
+					"domainName": null,
+					"userSid": null,
+					"aadUserId": null,
+					"userPrincipalName": null,
+					"detectionStatus": "Detected"
 				}
 			]
 		},