false positives may vary based on microsfot defender configuration; monitor and filter out the alerts that are not relevant to your environment.

Techniques

Sample rules

Microsoft Defender Incident Alerts

source: splunk
technicques:

Description

The following analytic is to leverage alerts from Microsoft Defender O365 Incidents. This query aggregates and summarizes all alerts from Microsoft Defender O365 Incidents, providing details such as the destination, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk obejct, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a static mapping to set the risk score based on the severity of the alert.

Detection logic

`ms365_defender_incident_alerts`  (dest=* OR user=*) 
| eval tmp_entities=json_extract(_raw, "entities"), tmp_entitymv=json_array_to_mv(tmp_entities), tmp_filtered_mv=mvfilter(json_extract(tmp_entitymv, "verdict") != "Clean"), entityType = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "entityType")), filePath = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "filePath")), processCommandLine = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "processCommandLine")), ipAddress = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "ipAddress")), registryKey = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "registryKey")), url = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "url")) 
| eval tmp_filtered_mv=mvfilter(json_extract(tmp_filtered_mv, "entityType") = "File"), fileName = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "fileName")) 
| eval risk_score=case(severity="informational", 5, severity="low", 15, severity="medium", 25, severity="high", 50, true(), 2) 
| stats count  min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score by id description dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `microsoft_defender_incident_alerts_filter`

Microsoft Defender ATP Alerts

source: splunk
technicques:

Description

The following analytic is to leverage alerts from Microsoft Defender ATP Alerts. This query aggregates and summarizes all alerts from Microsoft Defender ATP Alerts, providing details such as the source, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk obejct, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a dynamic mapping to set the risk score in Enterprise Security based on the severity of the alert.

Detection logic

 `ms_defender_atp_alerts` (dest=* OR user=*)
| eval tmp_evidence=json_extract(_raw, "evidence"), tmp_evidencemv=json_array_to_mv(tmp_evidence), entityType = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "entityType")), filePath = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "filePath")), processCommandLine = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "processCommandLine")), ipAddress = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "ipAddress")), registryKey = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "registryKey")), url = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "url")), fileName = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "fileName")) 
| eval tmp_evidencemv=mvfilter(json_extract(tmp_evidencemv, "entityType") = "File"), fileName = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "fileName")) 
| eval risk_score=case(severity="informational", 5, severity="low", 15, severity="medium", 25, severity="high", 50 , true(), 2) 
| eval processCommandLine=if(processCommandLine="null", "", processCommandLine), ipAddress=if(ipAddress="null", "", ipAddress), registryKey=if(registryKey="null", "", registryKey), url=if(url="null", "", url) 
| stats count min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score by id description src 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `microsoft_defender_atp_alerts_filter`