deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

1

Browse Source
This commit is contained in:
Ben Alfasi
2021-01-28 20:12:39 +02:00
parent 7029056634
commit 2560de7959
4 changed files with 349 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
windows/security/threat-protection/microsoft-defender-atp/alerts.md
View File

@ -69,45 +69,146 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib
category| String | Category of the alert. category| String | Category of the alert.
detectionSource | String | Detection source. detectionSource | String | Detection source.
threatFamilyName | String | Threat family. threatFamilyName | String | Threat family.
threatName | String | Threat name.
threatName | String | Threat name.
machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
computerDnsName | String | [machine](machine.md) fully qualified name. computerDnsName | String | [machine](machine.md) fully qualified name.
aadTenantId | String | The Azure Active Directory ID. aadTenantId | String | The Azure Active Directory ID.
comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. detectorId | String | The ID of the detector that triggered the alert.
comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time.
Evidence | List of Alert evidence | Evidence related to the alert. See example below.
### Response example for getting single alert: ### Response example for getting single alert:
``` ```
GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499 GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
``` ```
```json ```json
{ {
"id": "da637084217856368682_-292920499", "id": "da637472900382838869_1364969609",
"incidentId": 66860, "incidentId": 1126093,
"investigationId": 4416234, "investigationId": null,
"investigationState": "Running", "assignedTo": null,
"assignedTo": "secop@contoso.com", "severity": "Low",
"severity": "Low", "status": "New",
"status": "New", "classification": null,
"classification": "TruePositive", "determination": null,
"determination": null, "investigationState": "Queued",
"detectionSource": "WindowsDefenderAtp", "detectionSource": "WindowsDefenderAtp",
"category": "CommandAndControl", "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
"threatFamilyName": null, "category": "Execution",
"title": "Network connection to a risky host", "threatFamilyName": null,
"description": "A network connection was made to a risky host which has exhibited malicious activity.", "title": "Low-reputation arbitrary code executed by signed executable",
"alertCreationTime": "2019-11-03T23:49:45.3823185Z", "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"firstEventTime": "2019-11-03T23:47:16.2288822Z", "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
"lastEventTime": "2019-11-03T23:47:51.2966758Z", "firstEventTime": "2021-01-26T20:31:32.9562661Z",
"lastUpdateTime": "2019-11-03T23:55:52.6Z", "lastEventTime": "2021-01-26T20:31:33.0577322Z",
"resolvedTime": null, "lastUpdateTime": "2021-01-26T20:33:59.2Z",
"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", "resolvedTime": null,
"comments": [ "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
{ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
"comment": "test comment for docs", "rbacGroupName": "A",
"createdBy": "secop@contoso.com", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
"createdTime": "2019-11-05T14:08:37.8404534Z" "threatName": null,
} "mitreTechniques": [
] "T1064",
"T1085",
"T1220"
],
"relatedUser": {
"userName": "temp123",
"domainName": "MIDDLEEAST"
},
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop123@contoso.com",
"createdTime": "2021-01-26T01:00:37.8404534Z"
}
],
"evidence": [
{
"entityType": "User",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
"filePath": null,
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": "eranb",
"domainName": "MIDDLEEAST",
"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
"userPrincipalName": "temp123@microsoft.com",
"detectionStatus": null
},
{
"entityType": "Process",
"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
"fileName": "rundll32.exe",
"filePath": "C:\\Windows\\SysWOW64",
"processId": 3276,
"processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
"processCreationTime": "2021-01-26T20:31:32.9581596Z",
"parentProcessId": 8420,
"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
"parentProcessFileName": "rundll32.exe",
"parentProcessFilePath": "C:\\Windows\\System32",
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
},
{
"entityType": "File",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
"fileName": "suspicious.dll",
"filePath": "c:\\temp",
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
}
]
} }
``` ```

8
windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
View File

@ -41,7 +41,8 @@ ms.technology: mde
### 03.01.2021 ### 03.01.2021
<hr> <hr>
- Update Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName***. - Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties.
- Updated [Alert entity](alerts.md): added ***detectorId*** property.
<br> <br>
<br> <br>
@ -49,15 +50,16 @@ ms.technology: mde
### 15.12.2020 ### 15.12.2020
<hr> <hr>
- Updated [Device](machine.md) entity with IP Interfaces. See [List devices](get-machines.md). - Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).
<br> <br>
<br> <br>
### 04.12.2020 ### 04.11.2020
<hr> <hr>
- Added new API: [Set device value](set-device-value.md). - Added new API: [Set device value](set-device-value.md).
- Updated [Device](machine.md) entity: added ***deviceValue*** property.
<br> <br>
<br> <br>

171
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
View File

@ -57,75 +57,51 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [ "value": [
{ {
"id": "da637306396589640224_1753239473", "id": "da637472900382838869_1364969609",
"incidentId": 875832, "incidentId": 1126093,
"investigationId": 478434, "investigationId": null,
"assignedTo": null, "assignedTo": null,
"severity": "Low", "severity": "Low",
"status": "New", "status": "New",
"classification": null, "classification": null,
"determination": null, "determination": null,
"investigationState": "PendingApproval", "investigationState": "Queued",
"detectionSource": "WindowsDefenderAv", "detectionSource": "WindowsDefenderAtp",
"category": "UnwantedSoftware", "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
"threatFamilyName": "InstallCore", "category": "Execution",
"title": "An active 'InstallCore' unwanted software was detected", "threatFamilyName": null,
"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", "title": "Low-reputation arbitrary code executed by signed executable",
"alertCreationTime": "2020-07-18T03:27:38.9483995Z", "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"firstEventTime": "2020-07-18T03:25:39.6124549Z", "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
"lastEventTime": "2020-07-18T03:26:18.4362304Z", "firstEventTime": "2021-01-26T20:31:32.9562661Z",
"lastUpdateTime": "2020-07-18T03:28:19.76Z", "lastEventTime": "2021-01-26T20:31:33.0577322Z",
"lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null, "resolvedTime": null,
"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
"computerDnsName": "temp2.redmond.corp.microsoft.com", "computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "Ring0", "rbacGroupName": "A",
"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
"threatName": null,
"mitreTechniques": [
"T1064",
"T1085",
"T1220"
],
"relatedUser": { "relatedUser": {
"userName": "temp2", "userName": "temp123",
"domainName": "REDMOND" "domainName": "MIDDLEEAST"
}, },
"comments": [], "comments": [
{
"comment": "test comment for docs",
"createdBy": "secop123@contoso.com",
"createdTime": "2021-01-26T01:00:37.8404534Z"
}
],
"evidence": [ "evidence": [
{
"entityType": "File",
"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
"fileName": "Your File Is Ready To Download_1911150169.exe",
"filePath": "C:\\Users\\temp2\\Downloads",
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"ipAddress": null,
"url": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null
},
{
"entityType": "Process",
"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
"fileName": "Your File Is Ready To Download_1911150169.exe",
"filePath": "C:\\Users\\temp2\\Downloads",
"processId": 24348,
"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
"processCreationTime": "2020-07-18T03:25:38.5269993Z",
"parentProcessId": 16840,
"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
"ipAddress": null,
"url": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null
},
{ {
"entityType": "User", "entityType": "User",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null, "sha1": null,
"sha256": null, "sha256": null,
"fileName": null, "fileName": null,
@ -135,13 +111,74 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
"processCreationTime": null, "processCreationTime": null,
"parentProcessId": null, "parentProcessId": null,
"parentProcessCreationTime": null, "parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null, "ipAddress": null,
"url": null, "url": null,
"accountName": "temp2", "registryKey": null,
"domainName": "REDMOND", "registryHive": null,
"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", "registryValueType": null,
"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", "registryValue": null,
"userPrincipalName": "temp2@microsoft.com" "accountName": "eranb",
"domainName": "MIDDLEEAST",
"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
"userPrincipalName": "temp123@microsoft.com",
"detectionStatus": null
},
{
"entityType": "Process",
"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
"fileName": "rundll32.exe",
"filePath": "C:\\Windows\\SysWOW64",
"processId": 3276,
"processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
"processCreationTime": "2021-01-26T20:31:32.9581596Z",
"parentProcessId": 8420,
"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
"parentProcessFileName": "rundll32.exe",
"parentProcessFilePath": "C:\\Windows\\System32",
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
},
{
"entityType": "File",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
"fileName": "suspicious.dll",
"filePath": "c:\\temp",
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
} }
] ]
}, },
@ -188,6 +225,12 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
"computerDnsName": "temp123.middleeast.corp.microsoft.com", "computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "MiddleEast", "rbacGroupName": "MiddleEast",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
"threatName": null,
"mitreTechniques": [
"T1064",
"T1085",
"T1220"
],
"relatedUser": { "relatedUser": {
"userName": "temp123", "userName": "temp123",
"domainName": "MIDDLEEAST" "domainName": "MIDDLEEAST"

171
windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
View File

@ -128,6 +128,12 @@ Here is an example of the response.
"computerDnsName": "temp123.middleeast.corp.microsoft.com", "computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "MiddleEast", "rbacGroupName": "MiddleEast",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
"threatName": null,
"mitreTechniques": [
"T1064",
"T1085",
"T1220"
],
"relatedUser": { "relatedUser": {
"userName": "temp123", "userName": "temp123",
"domainName": "MIDDLEEAST" "domainName": "MIDDLEEAST"
@ -170,75 +176,51 @@ Here is an example of the response.
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [ "value": [
{ {
"id": "da637306396589640224_1753239473", "id": "da637472900382838869_1364969609",
"incidentId": 875832, "incidentId": 1126093,
"investigationId": 478434, "investigationId": null,
"assignedTo": null, "assignedTo": null,
"severity": "Low", "severity": "Low",
"status": "New", "status": "New",
"classification": null, "classification": null,
"determination": null, "determination": null,
"investigationState": "PendingApproval", "investigationState": "Queued",
"detectionSource": "WindowsDefenderAv", "detectionSource": "WindowsDefenderAtp",
"category": "UnwantedSoftware", "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
"threatFamilyName": "InstallCore", "category": "Execution",
"title": "An active 'InstallCore' unwanted software was detected", "threatFamilyName": null,
"description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", "title": "Low-reputation arbitrary code executed by signed executable",
"alertCreationTime": "2020-07-18T03:27:38.9483995Z", "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"firstEventTime": "2020-07-18T03:25:39.6124549Z", "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
"lastEventTime": "2020-07-18T03:26:18.4362304Z", "firstEventTime": "2021-01-26T20:31:32.9562661Z",
"lastUpdateTime": "2020-07-18T03:28:19.76Z", "lastEventTime": "2021-01-26T20:31:33.0577322Z",
"lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null, "resolvedTime": null,
"machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
"computerDnsName": "temp2.redmond.corp.microsoft.com", "computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "Ring0", "rbacGroupName": "A",
"aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
"threatName": null,
"mitreTechniques": [
"T1064",
"T1085",
"T1220"
],
"relatedUser": { "relatedUser": {
"userName": "temp2", "userName": "temp123",
"domainName": "REDMOND" "domainName": "MIDDLEEAST"
}, },
"comments": [], "comments": [
{
"comment": "test comment for docs",
"createdBy": "secop123@contoso.com",
"createdTime": "2021-01-26T01:00:37.8404534Z"
}
],
"evidence": [ "evidence": [
{
"entityType": "File",
"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
"fileName": "Your File Is Ready To Download_1911150169.exe",
"filePath": "C:\\Users\\temp2\\Downloads",
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"ipAddress": null,
"url": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null
},
{
"entityType": "Process",
"sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
"sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
"fileName": "Your File Is Ready To Download_1911150169.exe",
"filePath": "C:\\Users\\temp2\\Downloads",
"processId": 24348,
"processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
"processCreationTime": "2020-07-18T03:25:38.5269993Z",
"parentProcessId": 16840,
"parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
"ipAddress": null,
"url": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null
},
{ {
"entityType": "User", "entityType": "User",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null, "sha1": null,
"sha256": null, "sha256": null,
"fileName": null, "fileName": null,
@ -248,13 +230,74 @@ Here is an example of the response.
"processCreationTime": null, "processCreationTime": null,
"parentProcessId": null, "parentProcessId": null,
"parentProcessCreationTime": null, "parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null, "ipAddress": null,
"url": null, "url": null,
"accountName": "temp2", "registryKey": null,
"domainName": "REDMOND", "registryHive": null,
"userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", "registryValueType": null,
"aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", "registryValue": null,
"userPrincipalName": "temp2@microsoft.com" "accountName": "eranb",
"domainName": "MIDDLEEAST",
"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
"userPrincipalName": "temp123@microsoft.com",
"detectionStatus": null
},
{
"entityType": "Process",
"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
"fileName": "rundll32.exe",
"filePath": "C:\\Windows\\SysWOW64",
"processId": 3276,
"processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
"processCreationTime": "2021-01-26T20:31:32.9581596Z",
"parentProcessId": 8420,
"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
"parentProcessFileName": "rundll32.exe",
"parentProcessFilePath": "C:\\Windows\\System32",
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
},
{
"entityType": "File",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
"fileName": "suspicious.dll",
"filePath": "c:\\temp",
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
} }
] ]
}, },