Microsoft Defender for Endpoint Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution that helps to secure against ransomware, file-less malware, and other sophisticated attacks on Windows, macOS, Linux, Android, and iOS.

Supported Versions

Graylog Server 5.2 or later

Requirement(s)

Microsoft Defender for Endpoint Plan 1 or Plan 2.
Graylog Server with a valid Enterprise license.

Stream Configuration

This technology pack includes 1 stream:

"Illuminate:Microsoft Defender for Endpoint Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

"Microsoft Defender for Endpoint Logs"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection and Delivery

Microsoft Defender for Endpoint utilizes the Graylog Microsoft Defender for Endpoint input that ingests alert logs in JSON format. Documentation detailing the configuration of this input can be found in the Graylog documentation.

Due to how Illuminate processes nested arrays, for each evidence entityType (Process, User, IP, File, URL), only one result per entityType is processed by Illuminate. Additional results can still be seen in the evidence_array field and GIM-specific fields such as user_name, file_name, and file_path.

Log Format Example

{"id":"da20708b1e-8554-4ec8-b59c-925c4663aa3a_1","incidentId":2,"investigationId":null,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"UnsupportedAlertType","detectionSource":"WindowsDefenderAtp","detectorId":"7f1c3609-a3ff-40e2-995b-c01770161d68","category":"Execution","threatFamilyName":null,"title":"Suspicious PowerShell command line","description":"A suspicious PowerShell activity was observed on the machine.","alertCreationTime":"2023-04-06T10:41:43.691043Z","firstEventTime":"2023-04-06T10:39:00.7407597Z","lastEventTime":"2023-04-06T10:42:49.3567967Z","lastUpdateTime":"2023-04-06T10:45:41.5166667Z","resolvedTime":null,"machineId":"31328158e55872c03a1b5ec4c96744cbb82c8f4b","computerDnsName":"win-tfb8l7bi77h","rbacGroupName":"UnassignedGroup","aadTenantId":"df620235-50d7-4400-bb7e-3b112e9b1ff4","threatName":null,"mitreTechniques":["T1059.001","T1105","T1140"],"relatedUser":{"userName":"Administrator","domainName":"WIN-TFB8L7BI77H"},"loggedOnUsers":[{"accountName":"testuser","domainName":"DESKTOP-IIQVPJ7"}],"comments":[{"comment":"test comment","createdBy":"secop123@contoso.com","createdTime":"2020-07-21T01:00:37.8404534Z"}],"evidence":[{"entityType":"Process","evidenceCreationTime":"2023-04-06T10:45:41.51Z","sha1":"6cbce4a295c163791b60fc23d285e6d84f28ee4c","sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","fileName":"powershell.exe","filePath":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","processId":10520,"processCommandLine":"powershell.exe -NoExit -ExecutionPolicy Bypass","processCreationTime":"2023-04-06T10:42:49.2635644Z","parentProcessId":5212,"parentProcessCreationTime":"2023-04-06T10:40:44.9749107Z","parentProcessFileName":"cmd.exe","parentProcessFilePath":"C:\\Windows\\System32","ipAddress":null,"url":null,"accountName":"Administrator","domainName":"WIN-TFB8L7BI77H","userSid":"S-1-5-21-3669279935-616031708-4259075843-500","aadUserId":null,"userPrincipalName":null,"detectionStatus":"Detected"},{"entityType":"Ip","evidenceCreationTime":"2023-04-06T10:41:43.81Z","ipAddress":"10.10.10.173","url":null,"detectionStatus":null}],"domains":[]}

What is Provided

Field extraction, normalization, and message enrichment for Microsoft Defender for Endpoint alert log messages.
Graylog Information Model categorization and enforcement fields for alert events.
Illuminate Spotlight: Microsoft Defender for Endpoint Overview dashboard and saved search.

GIM Categorization

GIM event type categorization is provided for the following message types:

Log Type	gim_event_type_code	gim_event_category	gim_event_subcategory	gim_event_type
Defender for Endpoint Alerts (all)	300000	detection	detection.network_detection	ids_detection

Fields Extracted by This Pack

Alert Fields

Fields extracted from the root-level alert JSON object.

Alert Fields ▼

Illuminate Field	Vendor / Source Field	Description
alert_category	category	Alert threat category (e.g. Execution, LateralMovement, Ransomware)
alert_severity	severity	Alert severity text, lowercased (low, medium, high, informational)
alert_severity_level	severity (derived)	Numeric severity level derived by core pipeline from alert_severity text
alert_signature	title	Alert title / detection rule name
attacks_technique_name	mitreTechniques (lookup)	MITRE ATT&CK technique names resolved from UIDs (array)
attacks_technique_uid	mitreTechniques	MITRE ATT&CK technique UIDs (array)
comments_comment	comments[].comment	Text of the first alert comment
comments_count	comments (derived)	Number of comments on the alert
comments_createdBy	comments[].createdBy	Author of the first alert comment
comments_createdTime	comments[].createdTime	Timestamp of the first alert comment
destination_reference	(GIM derived)	Set to undefined; no destination host is present in alert data
event_created	alertCreationTime	Timestamp when the alert was created
event_end	lastEventTime	Timestamp of the last event associated with the alert
event_log_name	(hardcoded)	Always set to 'alerts'
event_source_product	event_source_product	Set at input time to 'microsoft_defender_endpoint'
event_start	firstEventTime	Timestamp of the first event associated with the alert
event_uid	id	Unique alert identifier
host_hostname	computerDnsName	DNS hostname of the affected endpoint, lowercased
source_reference	(GIM derived)	Affected endpoint IP (from IP evidence) falling back to host_hostname
vendor_alert_description	description	Full text description of the alert
vendor_data_aad_tenant_id	aadTenantId	Azure AD tenant ID
vendor_data_detector_id	detectorId	ID of the detection rule that triggered the alert
vendor_data_event_status	status	Alert status (e.g. New, InProgress, Resolved)
vendor_data_incident_id	incidentId	ID of the incident this alert belongs to
vendor_data_investigation_state	investigationState	State of the automated investigation
vendor_data_last_update	lastUpdateTime	Timestamp when the alert was last updated
vendor_data_machine_id	machineId	Internal machine identifier of the affected endpoint
vendor_data_rbac_group_name	rbacGroupName	RBAC device group the affected endpoint belongs to
vendor_subtype	detectionSource	Detection source identifier (e.g. WindowsDefenderAtp)

Evidence Entity Fields

Fields extracted from alert evidence entities. Only one entry per entity type (Process, File, IP, User, URL) is processed.

Evidence Fields ▼

Illuminate Field	Evidence Entity Type	Vendor / Source Field
evidence_count	All	Total number of evidence entities in the alert
evidence_count_file	File	Number of File evidence entities
evidence_count_ip	IP	Number of IP evidence entities
evidence_count_process	Process	Number of Process evidence entities
evidence_count_url	URL	Number of URL evidence entities
evidence_count_user	User	Number of User evidence entities
evidence_file_event_action	File	detectionStatus
evidence_file_evidenceCreationTime	File	evidenceCreationTime
evidence_file_fileName	File	fileName
evidence_file_filePath	File	filePath
evidence_file_sha1	File	sha1
evidence_file_sha256	File	sha256
evidence_ip_evidenceCreationTime	IP	evidenceCreationTime
evidence_process_accountName	Process	accountName
evidence_process_domainName	Process	domainName
evidence_process_event_action	Process	detectionStatus
evidence_process_evidenceCreationTime	Process	evidenceCreationTime
evidence_process_fileName	Process	fileName
evidence_process_filePath	Process	filePath
evidence_process_parentProcessCreationTime	Process	parentProcessCreationTime
evidence_process_parentProcessFileName	Process	parentProcessFileName
evidence_process_parentProcessFilePath	Process	parentProcessFilePath
evidence_process_parentProcessId	Process	parentProcessId
evidence_process_processCreationTime	Process	processCreationTime
evidence_process_processId	Process	processId
evidence_process_sha1	Process	sha1
evidence_process_sha256	Process	sha256
evidence_process_user_id	Process	userSid
evidence_user_accountName	User	accountName
evidence_user_domainName	User	domainName
evidence_user_evidenceCreationTime	User	evidenceCreationTime
evidence_user_user_id	User	userSid
domain_name	Process / User (combined)	domainName (array across all entities)
file_name	Process / File (combined)	fileName (array across all entities)
file_path	Process / File (combined)	filePath (array across all entities)
host_ip	IP	ipAddress (renamed from evidence_ip_ipAddress)
process_command_line	Process	processCommandLine (first process only)
process_id	Process	processId (array across all Process entities)
process_name	Process	fileName (array across all Process entities)
process_parent_id	Process	parentProcessId (array across all Process entities)
process_parent_name	Process	parentProcessFileName (array across all Process entities)
process_parent_path	Process	parentProcessFilePath (array across all Process entities)
user_name	User / Process (combined)	accountName (array across all entities)