Skip to content

Windows Defender ATP (Advanced Threat Protection)

Editor : Microsoft

Description

Microsoft Defender ATP is a holistic, cloud delivered endpoint security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral based and cloud-powered next generation protection, endpoint detection and response (EDR), automatic investigation and remediation, managed hunting services, rich APIs, and unified security management.

Theoretical injector performance

23161 EPS

Log Samples and relative parsing

Sample 1 : <38>Jun 23 14:39:10
{ "AlertTime":"2020-06-12T14:38:06.2318284Z", "ComputerDnsName":"azerty0rjqmn.eu.company.local", "AlertTitle":"'KipodToolsCby' unwanted software was detected", "Category":"UnwantedSoftware", "Severity":"Informational", "AlertId":"da637275694972841754_1379926103", "Actor":"", "LinkToWDATP":"https://securitycenter.windows.com/alert/da637275694972841754_1379926103", "IocName":"", "IocValue":"", "CreatorIocName":"", "CreatorIocValue":"", "Sha1":"", "FileName":"iLividSetup-r390-n-bu.exe", "FilePath":"D:\X201\Videos", "IpAddress":"", "Url":"", "IoaDefinitionId":"910e98ad-0eb4-480b-8aa6-841e9ecad15e", "UserName":"", "AlertPart":0, "FullId":"da637275694972841754_1379926103:_jVYscG9dQzra7cInmuYszRGxJuAwQ03CodFG5HzCak=", "LastProcessedTimeUtc":"2020-06-12T14:56:00.0678844Z", "ThreatCategory":"BrowserModifier", "ThreatFamily":"KipodToolsCby", "ThreatName":"BrowserModifier:Win32/KipodToolsCby", "RemediationAction":"quarantine", "RemediationIsSuccess":false, "Source":"Antivirus", "Md5":"", "Sha256":"", "WasExecutingWhileDetected":false, "UserDomain":"", "LogOnUsers":"EU\userid", "MachineDomain":"eu.company.local", "MachineName":"azerty0rjqmn", "InternalIPv4List":"192.168.1.1;127.0.0.1", "InternalIPv6List":"fe80::1dc2:e1e:f27c:8a5b;::1", "FileHash":"", "DeviceID":"24aaaaaaaa71cedcccccccc4dfe7bbbbbbbb0aa7", "MachineGroup":"", "Description":"Potentially unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software.", "DeviceCreatedMachineTags":"", "CloudCreatedMachineTags":"", "CommandLine":"", "IncidentLinkToWDATP":"https://windows.com", "ReportID":2092774576, "ExternalId":"672A6DF99D8D8BD1C7D584105B6BAA2B8CD4263D", "IocUniqueId":"_jVYscG9dQzra7cInmuYszRGxJuAwQ03CodFG5HzCak=" }

Original log field Output field
AlertTime [obs][ts]
AlertTitle [alarm][description]
Category [alarm][name]
Severity [alarm][sev]
AlertId [alarm][id]
WasExecutingWhileDetected [alarm][impact]
Sha1 [file][hash][sha1]
Sha256 [file][hash][256]
Md5 [file][hash][md5]
FileName [session][file][name]
FilePath [session][file][path]
ReportID [session][id]
ThreatCategory [av][infection_category]
ThreatFamily [av][virus_name]
ThreatName [av][signature]
RemediationAction [action]
RemediationIsSuccess [app][return][code]
UserDomain [target][usr][domain]
LogOnUsers [target][usr][id]
MachineDomain [target][host][domain]
MachineName [target][host][name]
DeviceID [target][host][id]
InternalIPv4List [target][host][ip]
InternalIPv6List [target][host][ipv6]
IncidentLinkToWDATP [reference][url]