Get Incidents List

description retrieve and sort a list of incidents from microsoft defender to enhance cybersecurity response efforts endpoint url api/incidents method get inputs parameters (object) $filter (string) filters results on the lastupdatetime , createdtime , status , and assignedto properties for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter $top (number) sets the page size of results $skip (number) indexes into a result set also used by some actions to implement paging and can be used together with top to manually page results output example \[ { "@odata context" "https //api security microsoft com/api/$metadata#incidents", "value" \[ { "incidentid" 437, "incidenturi" "https //security microsoft com/incidents/437?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unfamiliar sign in properties involving one user", "createdtime" "2023 05 10t09 33 15 32z", "lastupdatetime" "2023 05 10t09 33 15 53z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ad3ef58dc561c3234527be2d9ff82524a967a5fb1c", "provideralertid" "039e0aead168175b4945b6eb116391f45e0701ea8777529e1b9bce5992760803", "incidentid" 437, "servicesource" "aadidentityprotection", "creationtime" "2023 05 10t09 33 14 6226578z", "lastupdatedtime" "2023 05 10t09 33 16 1033333z", "resolvedtime" null, "firstactivity" "2023 05 10t09 29 24 2969531z", "lastactivity" "2023 05 10t09 29 24 2969531z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 10t09 33 14 89z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 10t09 33 14 89z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "93 243 188 4" } ] } ] }, { "incidentid" 419, "incidenturi" "https //security microsoft com/incidents/419?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "multiple threat families detected including ransomware on multiple endpoints", "createdtime" "2023 05 06t05 44 46 2466667z", "lastupdatetime" "2023 05 09t16 28 38 2933333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da0c2f2b80 48ee 4eb4 806a e756deb586fa 1", "provideralertid" "0c2f2b80 48ee 4eb4 806a e756deb586fa 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 06t05 44 45 3346482z", "lastupdatedtime" "2023 05 06t05 44 47 1866667z", "resolvedtime" null, "firstactivity" "2023 05 06t05 29 45 4250215z", "lastactivity" "2023 05 06t05 29 45 4250215z", "title" "'powerpuff' hacktool was prevented", "description" "readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users when used by attackers, these tools are often installed without authorization and used to compromise targeted machines \n\nthese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots \n\nthis detection might indicate that microsoft defender antivirus has stopped the tool from being installed and used effectively however, it is prudent to check the machine for the files and processes associated with the detected tool ", "category" "malware", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "5ec617e4 67e1 44be a592 067be1d5b31d", "assignedto" null, "actorname" null, "threatfamilyname" "powerpuff", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 06t05 44 45 73z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "133e97f9b8a0fbace979287c0f69a0bf7bcfca59", "sha256" "d744879999e407c9b1ce1438d9d1747086c02f8998885e8bddb47fdb5343303a", "filename" "powerdump ps1", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\powershell", "detectionstatus" "prevented", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da13b6a8b4 526a 4ead a9eb 7ad9442b3cfa 1", "provideralertid" "13b6a8b4 526a 4ead a9eb 7ad9442b3cfa 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 06t06 13 00 2564215z", "lastupdatedtime" "2023 05 06t22 56 50 58z", "resolvedtime" null, "firstactivity" "2023 05 06t05 41 13 4620582z", "lastactivity" "2023 05 06t22 54 00 0278501z", "title" "meterpreter post exploitation tool", "description" "meterpreter, a post exploitation tool was detected on this device meterpreter is deployed using dll injection meterpreter was used in a wide range of documented attacks, including attacks involving state sponsored groups and groups associated with ransomware campaigns an attacker might be attempting to establish persistence, discover and steal credentials, or install and launch a payload in the device that might lead to further system compromise detections of meterpreter tools and activity should be thoroughly investigated ", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "f37b8bc2 cfd2 4a8e ac62 24a7df1e698c", "assignedto" null, "actorname" null, "threatfamilyname" "meterpreter", "mitretechniques" \[ "t1055 001" ], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 00 4133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "f19bd49a1571a06bc931e583cc9bda79179afa8e", "sha256" "ac1028a0fa09677172cd14df2de0274c93c07126981d1098e4ad3e5d8954189b", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 00 5966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "ddfe9799efaf112030b08f1d6b0808d16398b866", "sha256" "a1727f4cbf0de74b730ff762bf16e6e5259c0574d64dc2cc7d417cd8a6023b8b", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 00 74z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "62fac9889115bebb3d289d980f69d2fdd3bc6ba6", "sha256" "33306847ffd0428112a8b5c270b2be18787d347f521eddb3f0e55118570eea9e", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 00 92z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "c6ccaaaa7b2f788533b2596eff8c778bae0aac98", "sha256" "800b354c1d13471089e491c144f47ada4e45ad2609b745ec5993c7202c682e36", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 00 9633333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "2f2cacdc1915271a1520cb4c400427cb99a17071", "sha256" "64482b273ee720a277e0120837eb4331c0a3537908b83e1117ea488d8a286ff1", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 01 1333333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "04ac263430e5fd2034c8ad9d6415359420e2075e", "sha256" "eeb380703ed0793199a43ff4494289f5e30b76b58d276ec0e61b58dac053e6d6", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 01 37z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "56bd0d3aa79cafe0cb7669282f38cff0607cb8f0", "sha256" "d03731f0df805fcb0c6060e5efeaffeaaf3402a0b19793aa3f504d8b872a44c7", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 01 4766667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3cf176c6e81d94444ec8a146b0eceaf1cfbad54c", "sha256" "d224a52a3ec46715a3ceee104f2cffcbc07c3fa3818adbbb87c1238ce6ce348e", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 01 7533333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0ebb70aed821b32f686f3e9d47ac6ecb8a1c6cc8", "sha256" "9b9adacdb1a4acd14ee2ae45a9c70f150a563090d5479c093df955659b1f8116", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 02 1033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "03988092127fbe4d800cce3b8dd5e1086bed775a", "sha256" "1b50bd69646d916b46af3c6e00b7f5c3c74b67b6ee7f34ed999dfe9052bef18a", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 02 15z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "6929a83376ceae32694ac6a5b9d6dd933e945838", "sha256" "6ffa8471e66b4c98560c9236695bbbe776f0510a96831118e91a92bade92d969", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 02 4233333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "9240c8e33bd7ab57d6d941cc67fbc4c368805162", "sha256" "9f0fb0bcd2ffa1be55202ec12842b21fd6cbc66ed8d6ab8c2ad39621b6492ebe", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t06 13 02 6233333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "d11d98d907ff53868783f8e419decfcafe0bfdf3", "sha256" "5b99a4cb4cedd6793f6af54fefd4236ebb9957caaac21958ac3fc356ae88b39b", "filename" "ext server stdapi jar", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\gems\\\metasploit payloads 2 0 50\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t22 56 50 3733333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b6634d91a6ddea33d0c588c2be64e5fd09bbba78", "sha256" "344f8a6a89a2457dbe9dfe6ecc0ab5f849d877768c27bc81e668b5719af6686d", "filename" "metasploit payloads 2 0 50 gem", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\cache", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 06t22 56 50 5533333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bf4658894515035906098620588926aab13da72c", "sha256" "40337b977706aec3741eb0dc48e25fe4954e1e9d4a16aa098e8285859cda4f3f", "filename" "metasploit payloads 2 0 50 gem", "filepath" "c \\\metasploit framework\\\embedded\\\lib\\\ruby\\\gems\\\2 7 0\\\cache", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da69a91407 91a9 4ee2 a790 9fdf597da94e 1", "provideralertid" "69a91407 91a9 4ee2 a790 9fdf597da94e 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 06t22 56 50 151353z", "lastupdatedtime" "2023 05 06t23 02 39 33z", "resolvedtime" "2023 05 06t23 02 39 3139346z", "firstactivity" "2023 05 06t22 54 00 0277481z", "lastactivity" "2023 05 06t22 54 00 0277481z", "title" "'cve 2014 0515' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 15, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "automation", "actorname" null, "threatfamilyname" "cve 2014 0515", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 06t22 56 50 38z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7d5ed7cddd2cbe580a88b90a89695216ef25e346", "sha256" "3c131569aaec7e3b313c8f03305d8eb8ef9915bbfe819c6d4a9b4b02f3f163ef", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da49aa0cdf 294f 4811 99f6 67fd0409ef74 1", "provideralertid" "49aa0cdf 294f 4811 99f6 67fd0409ef74 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 06t22 56 50 1988686z", "lastupdatedtime" "2023 05 06t23 02 21 2233333z", "resolvedtime" "2023 05 06t23 02 21 1059436z", "firstactivity" "2023 05 06t22 54 00 0276782z", "lastactivity" "2023 05 06t22 54 00 0276782z", "title" "'aicat' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 16, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "automation", "actorname" null, "threatfamilyname" "aicat", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 06t22 56 50 3766667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0b884a0b72e389bb40e6efd88b3cf977d7410e45", "sha256" "cc9a1c9f982e04404567d73b6f0a19bfac43a63280c47f3fa94d64d24d1c544a", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "dae81f1b63 048e 4e90 9fa6 c2b41d2ffeae 1", "provideralertid" "e81f1b63 048e 4e90 9fa6 c2b41d2ffeae 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 07t13 25 22 0632912z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" "2023 05 07t13 37 05 5168105z", "firstactivity" "2023 05 07t13 23 12 8358057z", "lastactivity" "2023 05 07t13 23 12 8358057z", "title" "'metasploit' malware was detected during a scheduled scan", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "resolved", "severity" "informational", "investigationid" 17, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "metasploit", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 07t13 25 22 24z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "37c056340745999fe170c9c9efcbc0503966891b", "sha256" "4fe01cdb89bf5b8dd4b97cb58e650b0b835ef1f2176b2da827502c97315fbbcc", "filename" "payload class", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2010 0094", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da714132dc 9c3c 4a7a a598 5f38a7d2ac0e 1", "provideralertid" "714132dc 9c3c 4a7a a598 5f38a7d2ac0e 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 07t13 25 22 2027282z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" "2023 05 07t13 37 08 431682z", "firstactivity" "2023 05 07t13 23 12 8358414z", "lastactivity" "2023 05 07t13 23 12 8358414z", "title" "'skeeyah' malware was detected during a scheduled scan", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "resolved", "severity" "informational", "investigationid" 18, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "skeeyah", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 07t13 25 22 35z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "7f609a3b058f9af7b24bcf843bd3b59059eda134", "sha256" "606f0e3853087daae973885e1c8c263efd837b18a8769dd9cffe6f039b597945", "filename" "cve 2019 1322 exe exe", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2019 1322", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "dab1d2840b 408a 4eeb bd4d 2f4a0550b05f 1", "provideralertid" "b1d2840b 408a 4eeb bd4d 2f4a0550b05f 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 07t13 25 22 2054811z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" "2023 05 07t13 37 08 431682z", "firstactivity" "2023 05 07t13 23 12 8358714z", "lastactivity" "2023 05 07t13 23 12 8358997z", "title" "'cryptinject' malware was detected during a scheduled scan", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "resolved", "severity" "informational", "investigationid" 18, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "cryptinject", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 07t13 25 22 41z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "8fc330915ed04304be5f92f10944d188d31d575c", "sha256" "3b0e45341fedbca68b969c651bad75a4c697982bdd8594d2bf29e8dd58414c98", "filename" "template x64 windows mixed mode dll", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 07t13 25 22 7333333z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "2419536d39cf87e415fc77c42fc6f45c17e59984", "sha256" "d8d2477e1f0fabfa5419e29f891907e7a367b2797d27f3ee71d4c59ff776191b", "filename" "template x86 windows mixed mode dll", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "daa6d14267 359e 4a5e a478 0a44eac4e666 1", "provideralertid" "a6d14267 359e 4a5e a478 0a44eac4e666 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 07t13 25 22 2056743z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 07t13 23 12 8357271z", "lastactivity" "2023 05 08t01 17 13 9070565z", "title" "malware was detected in a zip archive file during a scheduled scan", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "assignedto" null, "actorname" null, "threatfamilyname" "eicar test file", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 07t13 25 22 2766667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicarcom2 zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da8b43b1cc f89b 4e7b bd31 1d8ccc8b9e4f 1", "provideralertid" "8b43b1cc f89b 4e7b bd31 1d8ccc8b9e4f 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 07t13 35 18 9717938z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 07t13 23 14 4544585z", "lastactivity" "2023 05 08t01 17 17 8110727z", "title" "malware was detected in a zip archive file", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "assignedto" null, "actorname" null, "threatfamilyname" "eicar test file", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 07t13 35 19 06z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "sha256" "e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397", "filename" "eicarcom2 zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "daa7cf69da c4ec 4a0c 8723 4aed920be27d 1", "provideralertid" "a7cf69da c4ec 4a0c 8723 4aed920be27d 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 07t13 35 20 5700411z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" "2023 05 07t13 37 08 431682z", "firstactivity" "2023 05 07t13 23 14 4544585z", "lastactivity" "2023 05 07t13 23 14 4544585z", "title" "'cve 2015 0318' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 18, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2015 0318", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 07t13 35 20 68z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0c928d246d947f8bb359f9ae186e4a9cef56469c", "sha256" "fae80e9142f46314a211047f2a047e37d09d053cf9063f3c4188d47f43f31e8d", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da70fea556 a405 4c0f 8b1b d16a77d19bec 1", "provideralertid" "70fea556 a405 4c0f 8b1b d16a77d19bec 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 07t15 15 09 9079421z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" "2023 05 07t15 21 10 6216791z", "firstactivity" "2023 05 07t15 13 19 2549235z", "lastactivity" "2023 05 07t15 13 19 255051z", "title" "'shellcode' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 19, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "shellcode", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 07t15 15 10 0866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "1b6804445673854501f3bee3884c4e37e60598fc", "sha256" "8ff0c0b429c16c73c7b14a672bf8f15551d764b022896f3fe6b3c2133ba10b9f", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 07t15 15 10 2966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8a0feaaa9d65588b2b9efdadf7b334a0f996032f", "sha256" "12784b3fe2e70ee17b20f0640c0bce26701e3f463884f86bb645e73ab8ab8124", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 07t15 15 10 51z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5b3e9b0a9d4d5de278e41caf0103f1e645cb956d", "sha256" "183808c5082c7738f0d01dbc299bb5e28a71e5d45e607aca6fe102a6f639a445", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 05 07t15 15 10 58z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "01340aa0f6efb9c1c67d22fe6f11f86613b02b6f", "sha256" "77dff28ef7ecb5e1a63cc48a0fd3b25be7278d23a3e2cca56a6487664f6108f3", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da609dd494 b379 42ea 8f21 e825488f6167 1", "provideralertid" "609dd494 b379 42ea 8f21 e825488f6167 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 08t01 19 13 9210411z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 08t01 17 13 9071363z", "lastactivity" "2023 05 08t01 17 13 9071363z", "title" "malware was detected in a zip archive file during a scheduled scan", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "assignedto" null, "actorname" null, "threatfamilyname" "eicar test file", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 08t01 19 14 1866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da63def75a cfa6 48cc a90e dc391a491675 1", "provideralertid" "63def75a cfa6 48cc a90e dc391a491675 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 08t01 28 53 7366399z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 08t01 17 17 8110727z", "lastactivity" "2023 05 08t01 17 17 8110727z", "title" "malware was detected in a zip archive file", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "assignedto" null, "actorname" null, "threatfamilyname" "eicar test file", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 08t01 28 53 82z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "sha256" "e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da9a3e361d 9d5e 47b0 9a80 c804ce983ea4 1", "provideralertid" "9a3e361d 9d5e 47b0 9a80 c804ce983ea4 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 08t08 50 21 7588894z", "lastupdatedtime" "2023 05 08t09 07 06 6066667z", "resolvedtime" "2023 05 08t09 07 06 3844124z", "firstactivity" "2023 05 08t08 48 44 973633z", "lastactivity" "2023 05 08t08 48 44 973633z", "title" "'skeeyah' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "resolved", "severity" "informational", "investigationid" 20, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" "automation", "actorname" null, "threatfamilyname" "skeeyah", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 08t08 50 21 98z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0b884a0b72e389bb40e6efd88b3cf977d7410e45", "sha256" "cc9a1c9f982e04404567d73b6f0a19bfac43a63280c47f3fa94d64d24d1c544a", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "daa0af793b 7a2c 4dbe 8ce4 c1a81332f0c2 1", "provideralertid" "a0af793b 7a2c 4dbe 8ce4 c1a81332f0c2 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 08t23 09 34 5252253z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 08t23 05 54 8184752z", "lastactivity" "2023 05 08t23 18 25 4733584z", "title" "'eicar test file' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "eicar test file", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 09 34 7033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "filename" "eicar\[1] com", "filepath" "c \\\users\\\ieuser\\\appdata\\\local\\\packages\\\microsoft microsoftedge 8wekyb3d8bbwe\\\ac\\\\#!001\\\microsoftedge\\\cache\\\l494h60m", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 20 06 6466667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "filename" "eicarcom2 zip", "filepath" "c \\\users\\\ieuser\\\downloads", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 20 06 9466667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "d27265074c9eac2e2122ed69294dbc4d7cce9141", "filename" "eicar com\[1] zip", "filepath" "c \\\users\\\ieuser\\\appdata\\\local\\\packages\\\microsoft microsoftedge 8wekyb3d8bbwe\\\ac\\\\#!001\\\microsoftedge\\\cache\\\kpx4f9e1", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 20 07 0533333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "filename" "eicarcom2\[1] zip", "filepath" "c \\\users\\\ieuser\\\appdata\\\local\\\packages\\\microsoft microsoftedge 8wekyb3d8bbwe\\\ac\\\\#!001\\\microsoftedge\\\cache\\\x8vh15nv", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da6f16f6cc bf1e 462e 8ad3 7cb639c36ac0 1", "provideralertid" "6f16f6cc bf1e 462e 8ad3 7cb639c36ac0 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 08 8075219z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 19 1627885z", "lastactivity" "2023 05 09t16 24 31 6293975z", "title" "'tiggre' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "tiggre", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 08 9966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "991eb12dda65abbbe886e1a8b14449140793a982", "filename" "inject x64 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\exploits\\\cve 2015 0016\\\bin", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 1133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7232bd42cd9d0725e7e0220052f4734fec91be7a", "filename" "metsvc exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 86z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "446e4a07689f9cc429b97148789055d4eb0c25bb", "filename" "ieshell32 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2016 0189", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 5266667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "2561ebcc627fdbdaec7198813eec4fde136fca6f", "filename" "ielocalserver dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2016 0189", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 04z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "9a816e68de2a364237f6abde98f99f1c0bf3e919", "filename" "template x64 windows dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2017 8464", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da8f16cd83 5f00 4dde b159 68eaeb495d18 1", "provideralertid" "8f16cd83 5f00 4dde b159 68eaeb495d18 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 08 8186087z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 28 9111124z", "lastactivity" "2023 05 09t16 24 31 6293975z", "title" "'swrort' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "swrort", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 08 9633333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0124bd66d22c0d93c0e287971e5c6f890af53482", "filename" "runtest dll", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\dllhijackauditkit", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 1z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "2c615893a98a68f64284602d477fb9578f73bb59", "filename" "runcalc dll", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\dllhijackauditkit", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 1033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8dc6a47f2c0d2523fbf43c2647fa7e8ea973e629", "filename" "template x86 windows dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 7933333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "80780c29c33de431c0d6b1827fedd4387dcc619e", "filename" "template x64 windows exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 53z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "9b23894010a732767352d59e5f14a2d36483d179", "filename" "dllhijackauditkit zip", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da401a758f 6d45 437f 907c 06997d690c02 1", "provideralertid" "401a758f 6d45 437f 907c 06997d690c02 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 08 8206828z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 31 6293975z", "lastactivity" "2023 05 09t16 24 31 6293975z", "title" "'tnega' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "tnega", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 0933333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "26d2342bb7b85053a8d5ecc445b781d89c42e017", "filename" "inject exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\exploits\\\cve 2015 0016\\\bin", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da89f30f91 cc75 43ab 9b30 36855b3e35e3 1", "provideralertid" "89f30f91 cc75 43ab 9b30 36855b3e35e3 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 2073015z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 30 3952296z", "title" "'occamy' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "occamy", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 32z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "30205f91c33b0b0dc10047677efb5eb5f7711025", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 8440", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 4633333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "6359a48f39e13ed9d034076f6b39c53ec6f89faf", "filename" "asxploit swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 0322", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 79z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "ee8a1b04d229868fdef51c63ed26851339214189", "filename" "cve 2013 5045 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 5045", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 5166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8239268d814fa0cc0b7c49a6f378c9af0515d544", "filename" "injectsu dll", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\byakugan\\\injectsu\\\i386", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 16 9866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "f6d265cb21d65ea7dccd46e1b315dfab3d81d264", "filename" "cve 2012 0754 swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da86584ac9 0196 418a 9f9a ef4bb3119b1e 1", "provideralertid" "86584ac9 0196 418a 9f9a ef4bb3119b1e 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 207336z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 17 9910473z", "title" "'cve 2012 1535' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2012 1535", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 3766667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "9d05391c39e98c6848b44f1603f25d7141a35550", "filename" "main swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2012 1535", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da26070681 fad4 4144 8446 7b69b24a28f7 1", "provideralertid" "26070681 fad4 4144 8446 7b69b24a28f7 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 3377408z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 17 9910473z", "title" "'cryptinject' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "cryptinject", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 4166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "f64190b99080c527cb20adcd0738243504de3ec6", "filename" "cve 2013 3881 x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 3881", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da5419d907 cdd6 46af 826c a46601248e69 1", "provideralertid" "5419d907 cdd6 46af 826c a46601248e69 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 3387558z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 25 115162z", "title" "'bluteal' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "bluteal", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 6z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e71e6b522f98d73223207badef9b20da3501d513", "filename" "cve 2011 3400 vsd", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2011 3400", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 1166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5f822f6f61f6076cbb1ab91b1478601cf1f06f99", "filename" "rottenpotato x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\rottenpotato", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da8257560c ead6 4429 82bb ff8a768acf0e 1", "provideralertid" "8257560c ead6 4429 82bb ff8a768acf0e 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 3389504z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 17 9910473z", "title" "'cve 2013 0074' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2013 0074", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 5933333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "2a2351050d808099c7f1a79e335166cb3d50cdee", "filename" "silverapp1 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 0074", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dab8f2f886 630d 4575 bb39 baa3890b7541 1", "provideralertid" "b8f2f886 630d 4575 bb39 baa3890b7541 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 3393064z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 23 5215787z", "lastactivity" "2023 05 09t16 24 23 5215787z", "title" "'incognito' hacktool was detected", "description" "readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users when used by attackers, these tools are often installed without authorization and used to compromise targeted machines \n\nthese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots \n\nthis detection might indicate that microsoft defender antivirus has stopped the tool from being installed and used effectively however, it is prudent to check the machine for the files and processes associated with the detected tool ", "category" "malware", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "5ec617e4 67e1 44be a592 067be1d5b31d", "assignedto" null, "actorname" null, "threatfamilyname" "incognito", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 7233333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bec9201095947bebf1ddf0bed7b0aeec0a40392d", "filename" "juicypotato x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\juicypotato", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dafc513a97 f2c8 4f63 93df 455022cb3372 1", "provideralertid" "fc513a97 f2c8 4f63 93df 455022cb3372 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 3403325z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 22 6933679z", "lastactivity" "2023 05 09t16 24 22 6933679z", "title" "'callbckhel' hacktool was detected", "description" "readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users when used by attackers, these tools are often installed without authorization and used to compromise targeted machines \n\nthese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots \n\nthis detection might indicate that microsoft defender antivirus has stopped the tool from being installed and used effectively however, it is prudent to check the machine for the files and processes associated with the detected tool ", "category" "malware", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "5ec617e4 67e1 44be a592 067be1d5b31d", "assignedto" null, "actorname" null, "threatfamilyname" "callbckhel", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 79z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "2689bdcec294005f308bf4b6538c7c0f5527ec72", "filename" "cve 2021 40449 x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2021 40449", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da072951dc dd4b 43ce 81ea eb7da4ebddd9 1", "provideralertid" "072951dc dd4b 43ce 81ea eb7da4ebddd9 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 3403421z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 17 9910473z", "title" "'cve 2014 0515' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2014 0515", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 61z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7d5ed7cddd2cbe580a88b90a89695216ef25e346", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 0515", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da388554b2 aa5f 4542 b193 1b72483a0ea0 1", "provideralertid" "388554b2 aa5f 4542 b193 1b72483a0ea0 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 4737158z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 18 8502766z", "title" "'cve 2014 0569' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2014 0569", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 52z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "a3503268e20edcd36a1239056e74ff252ba73b7a", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 0569", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 7033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "eb8de507b2bf6e1aefc006947c97e55836b0d734", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0313", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daccd9df1b 95c9 4288 94ea 895f58010ea3 1", "provideralertid" "ccd9df1b 95c9 4288 94ea 895f58010ea3 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 47399z", "lastupdatedtime" "2023 05 09t16 28 37 4466667z", "resolvedtime" null, "firstactivity" "2023 05 09t16 23 28 5477192z", "lastactivity" "2023 05 09t16 24 51 4712565z", "title" "meterpreter post exploitation tool", "description" "meterpreter, a post exploitation tool was detected on this device meterpreter is deployed using dll injection meterpreter was used in a wide range of documented attacks, including attacks involving state sponsored groups and groups associated with ransomware campaigns an attacker might be attempting to establish persistence, discover and steal credentials, or install and launch a payload in the device that might lead to further system compromise detections of meterpreter tools and activity should be thoroughly investigated ", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "f37b8bc2 cfd2 4a8e ac62 24a7df1e698c", "assignedto" null, "actorname" null, "threatfamilyname" "meterpreter", "mitretechniques" \[ "t1055 001" ], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 5266667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e22f074fe13c696b09b2286c8603b097f44466d8", "filename" "cve 2015 1701 x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 1701", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 68z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3f9f4a71c9ec64f930c37c89fd1c28149d1b31b8", "filename" "nvidia nvsvc x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 0109", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 45z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "cd7ba283e0fde7147967a25f6f3fd5a0e9891635", "filename" "template x86 windows dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2017 8464", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 11 87z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "58670a69ddeb00aa4932414d2889f2b1bf6951c0", "filename" "cve 2015 1701 x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 1701", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 1033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "32c5882cf0d45993611f7f0bbfadc9b35f09406f", "filename" "exploit dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2019 1458", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 7033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "ea2e2057b82fab4c64784ce01b665a56b33edc16", "filename" "drunkpotato x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\drunkpotato", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 0866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "49f3418664c271afe93b3eb3f0544ac5b7ef440f", "filename" "runtest exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\dllhijackauditkit", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 3333333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b4abdeb3f3b251394612386d97895f0374fcfbe3", "filename" "uso trigger x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\uso trigger", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 41z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "11a5ecb685198b23618b03bed61d7e5576172ca3", "filename" "runcalc exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\dllhijackauditkit", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 6966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "4eef3acd880e9ca5d9222f260555d8d74bc4bcbc", "filename" "vncdll x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 7733333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "67d9d4f14900ea3270f67097e9c947bebbc4bdfd", "filename" "bypassuac x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 19 5z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "59fe0a81fa7a5b8ac4c1ebb10360b05423fb206b", "filename" "uso trigger x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\uso trigger", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 19 72z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bed5b5f463d0c9aee190c2d6490d8d33b9d1dd30", "filename" "bypassuac x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 19 7933333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5741705f5a37470c6880130d74822f805078af5e", "filename" "vncdll x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 19 9866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "a467b4c2c0581dd25e63bcdc2787ca5e593ae993", "filename" "kitrap0d x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2010 0232", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 20 0566667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b40c04604bf3bbee92fd70beeaefabaa7e92206a", "filename" "schlamperei x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 1300", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 20 1233333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "eb571ebfa53742df0e2e8375b7d15f94ab436a09", "filename" "cve 2014 4113 x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 4113", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 20 13z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "09f2a8301046593b6383b63a17d80c20aaca0ecc", "filename" "capcom sys exec x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\capcom sys exec", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 25 2866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "49f3418664c271afe93b3eb3f0544ac5b7ef440f", "sha256" "2098893cc8e02689a0c7561ac99f674fb148021312f7e80b31b922cdfb0be2e0", "filename" "runtest exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\dllhijackauditkit", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 25 3133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "991eb12dda65abbbe886e1a8b14449140793a982", "sha256" "9930802002f919eb5289c0ea6ec0b0dac1bc77403c03ba2a726bc98361926e0a", "filename" "inject x64 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\exploits\\\cve 2015 0016\\\bin", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 25 43z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b961f647fa01c168a73fa627b7d117f32cf475b4", "sha256" "a905b11abaecc50b087ca9900e6a45b30403d7ee10e18c9d43ef9cf72c1d4849", "filename" "reflective dll dll", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\exploits\\\cve 2015 0016\\\bin", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 25 62z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "625f051f74e9f0ac7a152dc9f137173422096ea8", "sha256" "fe6de8aebe3495b686cfb156a6861a3ff01eb1a398963d87cf112a9c7e44f7c4", "filename" "autoinf exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\pxesploit\\\autoinf\\\release", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 26 6266667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "ea2e2057b82fab4c64784ce01b665a56b33edc16", "sha256" "3a2cdda188879d03ef8f0762a4bed9cba6d53bf0b5f3055afda0ec6819b6b0a8", "filename" "drunkpotato x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\drunkpotato", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 26 8733333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "11a5ecb685198b23618b03bed61d7e5576172ca3", "sha256" "fbab32c8cd61efe3538b27f3f2fc3920614e27ec06882605497913f0f569e052", "filename" "runcalc exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\dllhijackauditkit", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 27 0633333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "59fe0a81fa7a5b8ac4c1ebb10360b05423fb206b", "sha256" "38e520ab957d16ed6d68387d24e13336c756b218cf7bc698bf5f9e672d38d05c", "filename" "uso trigger x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\uso trigger", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 27 1966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b4abdeb3f3b251394612386d97895f0374fcfbe3", "sha256" "e47a6230d9586aa5a9e2c4b905e19e8bd01d9ae200e63c6da98d7e32f08b74a6", "filename" "uso trigger x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\uso trigger", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 27 2166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "67d9d4f14900ea3270f67097e9c947bebbc4bdfd", "sha256" "0ce3870b6724c7e84dd741b048e5698a6a4e9fc91a272851a5a47c9236df2da2", "filename" "bypassuac x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 27 4166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bed5b5f463d0c9aee190c2d6490d8d33b9d1dd30", "sha256" "5e001d47b541c301b292f555554f060dc18cf19cc28bd339f853f978ad03e08b", "filename" "bypassuac x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 27 9366667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "95e979551bd820befb1aa9f03c39513033e9273f", "sha256" "1e68950facbec301a7b780d59d94434904afe278f41454cd0ad9c1a7ff4c40be", "filename" "dell protect x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\dell protect", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 29 0133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "166a7ea7ad8ccad53259fd3173119227595ddc57", "filename" "ppr flatten rec x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 3660", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 29 0133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "2ad0efc6eb1d92a6f9a0af9e08da0cb17592298e", "sha256" "94ac80e8a214d915007dc9f5feaec388417998da6300b2172253cd8cb8ebda67", "filename" "exploit dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\ntapphelpcachecontrol", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 03 0366667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "4eef3acd880e9ca5d9222f260555d8d74bc4bcbc", "sha256" "4efe457656c0518c918c6852cb80614144a65e48866e6aeb69ce371d83ad1ead", "filename" "vncdll x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 03 1533333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5741705f5a37470c6880130d74822f805078af5e", "sha256" "7d52a7a759179f2678458c190a30fe630d770ee867681585760ebfd9ca039278", "filename" "vncdll x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 03 24z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "09f2a8301046593b6383b63a17d80c20aaca0ecc", "sha256" "5473ee1a85c0dafa8f7848b28381a9024d4feafed078664b61d4543e29d31ed9", "filename" "capcom sys exec x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\capcom sys exec", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 03 59z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "a467b4c2c0581dd25e63bcdc2787ca5e593ae993", "sha256" "c1b9473c3db907a81c0525a6eb6ddc83c73dd1ebb9686e832aad32c9812e7b69", "filename" "kitrap0d x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2010 0232", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 03 83z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3f9f4a71c9ec64f930c37c89fd1c28149d1b31b8", "sha256" "ee24d1d448fffea3983da1a51ff4b2a37426a5651b9d93aee5959389de743f07", "filename" "nvidia nvsvc x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 0109", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 04 0333333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b40c04604bf3bbee92fd70beeaefabaa7e92206a", "sha256" "24abab4054bda1b846b012f71dd0687b4fd4069afc5fda8102a0909e2c85cb6a", "filename" "schlamperei x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 1300", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 04 1233333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "166a7ea7ad8ccad53259fd3173119227595ddc57", "sha256" "775855f0fd33d1099fcab8f8119a2a64ca11dfa56a94b0c828b7a5398c2a3152", "filename" "ppr flatten rec x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 3660", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 04 3866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "eb571ebfa53742df0e2e8375b7d15f94ab436a09", "sha256" "31108a00a2c2016b0fb4d0e39fb2dbdce141ce9accf9ca0b2cbc47ab2f377cb8", "filename" "cve 2014 4113 x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 4113", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 04 6066667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b961f647fa01c168a73fa627b7d117f32cf475b4", "sha256" "a905b11abaecc50b087ca9900e6a45b30403d7ee10e18c9d43ef9cf72c1d4849", "filename" "cve 2015 0016 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0016", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 04 61z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e22f074fe13c696b09b2286c8603b097f44466d8", "sha256" "e8950dfc957d2323f55944075134ff945bb8c467e48c1b4b7c86725b09460da2", "filename" "cve 2015 1701 x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 1701", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 04 9z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "58670a69ddeb00aa4932414d2889f2b1bf6951c0", "sha256" "c3b6f81b25c7315d9a856dbc0ed1b129b2e0b39553fbd8a50a4145de6aa8ed42", "filename" "cve 2015 1701 x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 1701", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 05 0633333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "cd7ba283e0fde7147967a25f6f3fd5a0e9891635", "sha256" "7841a4fe82abaa7e8822242d701a3bfcabb6fc0d7227fc12628349564e5fd6ae", "filename" "template x86 windows dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2017 8464", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 05 32z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "32c5882cf0d45993611f7f0bbfadc9b35f09406f", "sha256" "399c607d6639dce9c8eb65a0f89934b3127a18dea39997afad154ccfaa7eecfe", "filename" "exploit dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2019 1458", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 19 6166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5adb61542a242eb30eac41ed9956bd36c773da2e", "filename" "meterpreter jar", "filepath" "c \\\sample\\\embedded\\\lib\\\ruby\\\gems\\\3 0 0\\\gems\\\metasploit payloads 2 0 130\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 19 8666667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "4099fdb9d78c76c73ee0da14d87f6ea0ec6eb0be", "filename" "meterpreter py", "filepath" "c \\\sample\\\embedded\\\lib\\\ruby\\\gems\\\3 0 0\\\gems\\\metasploit payloads 2 0 130\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 37 41z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "625f051f74e9f0ac7a152dc9f137173422096ea8", "filename" "autoinf exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\pxesploit\\\autoinf\\\release", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da36a49284 e335 45e9 b835 0ade9b088463 1", "provideralertid" "36a49284 e335 45e9 b835 0ade9b088463 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 4796799z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 17 9910473z", "title" "'reflectivensa' hacktool was detected", "description" "readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users when used by attackers, these tools are often installed without authorization and used to compromise targeted machines \n\nthese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots \n\nthis detection might indicate that microsoft defender antivirus has stopped the tool from being installed and used effectively however, it is prudent to check the machine for the files and processes associated with the detected tool ", "category" "malware", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "5ec617e4 67e1 44be a592 067be1d5b31d", "assignedto" null, "actorname" null, "threatfamilyname" "reflectivensa", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 5z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b961f647fa01c168a73fa627b7d117f32cf475b4", "filename" "cve 2015 0016 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0016", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da17c18980 1b8e 4577 bdc6 d75c9bc618c4 1", "provideralertid" "17c18980 1b8e 4577 bdc6 d75c9bc618c4 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 5227942z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 18 8502766z", "title" "'cve' ransomware was detected", "description" "ransomware use common methods to encrypt files using keys that are known only to attackers as a result, victims are unable to access the contents of the encrypted files most ransomware display or drop a ransom note\u2014an image or an html file that contains information about how to obtain the attacker supplied decryption tool for a fee \u00a0\u00a0 \n\nto target documents or other files that contain user data, some ransomware look for files in certain locations and files with certain extension names it is also common for ransomware to rename encrypted files so that they all use the same extension name \u00a0 \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "ransomware", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "51d03c45 b142 4de4 95df 01b0c259d8f6", "assignedto" null, "actorname" null, "threatfamilyname" "cve", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 65z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "a325507f4d9aeaefd41fc437b4357c58996973e2", "filename" "exploit swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 5331", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 7333333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "c5b6f4268a786f810b119c97856fc4cee560b9d6", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0359", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 3233333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "1cb078c24011b08b25242361487791d9f54a1f0a", "filename" "cve 2011 0609 swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daf1d8cd01 f965 4df5 ad5d 05f1de36c8fc 1", "provideralertid" "f1d8cd01 f965 4df5 ad5d 05f1de36c8fc 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 5228451z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 17 9910473z", "title" "'cve 2013 0634' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2013 0634", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 64z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "12703bf7cc3f17382fe733492920dcc10915f441", "filename" "exploit swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2013 0634", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da3d62713d a943 4df4 856e 349fec5600fb 1", "provideralertid" "3d62713d a943 4df4 856e 349fec5600fb 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 5792338z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 20 6624755z", "lastactivity" "2023 05 09t16 24 20 6624755z", "title" "'cve 2018 8453' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2018 8453", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 72z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "50ad2a3fd02d0199af31f405dc09908dc17b949e", "filename" "cve 2018 8453 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2018 8453", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dade21d338 cefc 499e 906b cf97298ab935 1", "provideralertid" "de21d338 cefc 499e 906b cf97298ab935 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 5792767z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 21 8498011z", "title" "'skeeyah' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "skeeyah", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 8233333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "a227ccdf9d6c82981ed325a369cc3e4c32da4feb", "filename" "reflective dll x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2018 8897", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 9666667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "dde971988c7e489d24540fc967cea831e4314624", "filename" "diaghub load x86 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2019 0841", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 1266667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bd14a982b5e6ed862330de93d958a18186cb8a83", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 5122", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 18z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "c5b6f4268a786f810b119c97856fc4cee560b9d6", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0359", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 67z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0c928d246d947f8bb359f9ae186e4a9cef56469c", "filename" "main swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0318", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 5433333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "2301b1752c9da0b8c42450c57ac908f84dd9b2f1", "filename" "samba root findsock linux glibc powerpc64le so gz", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2017 7494", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 6033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0d07f6744df9d2b08e7027e404691d46e68a21ee", "filename" "samba root findsock linux glibc mips so gz", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2017 7494", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 7166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0b884a0b72e389bb40e6efd88b3cf977d7410e45", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 3113", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 05z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "040dbbb9d20cb303894cc2d1755a588a106f9eaf", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0336", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 7833333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b961f647fa01c168a73fa627b7d117f32cf475b4", "filename" "cve 2015 0016 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0016", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 16 9733333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3e71f1b1dc9a4d2edd9dc2959af5de3d678e77b6", "filename" "samba root system linux glibc x86 so gz", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2017 7494", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 0133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5baba2e59ac39ebeef56f3c70d9e9c279bd27402", "filename" "cve 2013 0758 swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 3033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7d5ed7cddd2cbe580a88b90a89695216ef25e346", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 0515", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 19 5z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "9d05391c39e98c6848b44f1603f25d7141a35550", "filename" "main swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2012 1535", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da0c419757 ce76 41e8 89e1 4ecda7b89f50 1", "provideralertid" "0c419757 ce76 41e8 89e1 4ecda7b89f50 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 6362734z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 23 5215787z", "lastactivity" "2023 05 09t16 24 23 5215787z", "title" "'powerpuff' hacktool was detected", "description" "readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users when used by attackers, these tools are often installed without authorization and used to compromise targeted machines \n\nthese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots \n\nthis detection might indicate that microsoft defender antivirus has stopped the tool from being installed and used effectively however, it is prudent to check the machine for the files and processes associated with the detected tool ", "category" "malware", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "5ec617e4 67e1 44be a592 067be1d5b31d", "assignedto" null, "actorname" null, "threatfamilyname" "powerpuff", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 09 76z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "133e97f9b8a0fbace979287c0f69a0bf7bcfca59", "filename" "powerdump ps1", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\powershell", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da7ef9c44a 2226 4d6a 84ec 6236106b0d63 1", "provideralertid" "7ef9c44a 2226 4d6a 84ec 6236106b0d63 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 636327z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 24 1306379z", "lastactivity" "2023 05 09t16 24 24 1618849z", "title" "possible metasploit activity", "description" "an activity of a known attack framework called metasploit was observed on this device metasploit is an open source penetration framework that is widely used to test system security attackers also leverage this framework to download and launch malicious codes, exploit known vulnerabilities, create persistence, escalate privileges, or move laterally in a target organization ", "category" "execution", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderatp", "detectorid" "d84399f4 052d 43c0 87f3 d3121098a164", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1059" ], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 09t16 26 10 17z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "ieuser", "domainname" "se pov j2test", "usersid" "s 1 5 21 321011808 3761883066 353627080 1000" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 17z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7232bd42cd9d0725e7e0220052f4734fec91be7a", "sha256" "fc512a7264fa6a546ab1f503c8bd8f11787ed23d05f3783a76d932b1722f8d70", "filename" "metsvc exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "process", "evidencecreationtime" "2023 05 09t16 26 10 17z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3eb9d6f8f4448cb1fd6478189edebe3d70477ea7", "sha256" "b759293373a11d1a972873a902bc64b2c9690ab947ce4a185cd047195521296d", "filename" "explorer exe", "filepath" "c \\\windows", "processid" 3924, "processcommandline" "explorer exe", "processcreationtime" "2023 05 08t22 25 53 5240016z", "parentprocessid" 3804, "parentprocesscreationtime" "2023 05 08t22 25 53 3248045z", "parentprocessfilename" "userinit exe", "accountname" "ieuser", "domainname" "se pov j2test", "usersid" "s 1 5 21 321011808 3761883066 353627080 1000", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 11 81z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bea6af09b27e7d89fd8da7127b986cd83352548b", "sha256" "ac16a5c6d083293c45b67db0f584aca9dcfbcc4bf79cd2dc3e7cca4061626303", "filename" "metsvc server exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da59f2a5f1 d44e 4c5f a0a2 8cfea7600350 1", "provideralertid" "59f2a5f1 d44e 4c5f a0a2 8cfea7600350 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 7755403z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 20 6624755z", "lastactivity" "2023 05 09t16 24 20 6624755z", "title" "'inoculate' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "inoculate", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 11 82z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7ac987ca32fcc5f931463b1b487f9d1c36d3dfbb", "filename" "exploit dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2019 0808", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dae8df071e aa95 4600 8c24 eb1431007ba9 1", "provideralertid" "e8df071e aa95 4600 8c24 eb1431007ba9 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 806335z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 20 6624755z", "lastactivity" "2023 05 09t16 24 20 6624755z", "title" "'cve2018 9948' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve2018 9948", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 11 8766667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5d71a36813b9e8522340b71c5fdac9a2834638f4", "filename" "template pdf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2018 9948", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da3d6ef6e9 cd90 476b 9af0 28396ab5122c 1", "provideralertid" "3d6ef6e9 cd90 476b 9af0 28396ab5122c 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 09 809059z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 20 6624755z", "lastactivity" "2023 05 09t16 24 20 6624755z", "title" "'rpdactaele' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "rpdactaele", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 11 88z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "d48912156f4aa6fcf10350864676dbfc1c7dec58", "filename" "alpc tasksched lpe dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2018 8440", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da788afc29 1318 469b 81fb bd64b3211222 1", "provideralertid" "788afc29 1318 469b 81fb bd64b3211222 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 10 0404781z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 21 8498011z", "lastactivity" "2023 05 09t16 24 21 8498011z", "title" "'clozflitr' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "clozflitr", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 0833333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "84fcc10fef6409c9f50d56bf4f17070b51149841", "filename" "cloudfiltereop exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2020 17136", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da72c8d7e5 96c0 487b bbfb f6242b50c6b0 1", "provideralertid" "72c8d7e5 96c0 487b bbfb f6242b50c6b0 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 10 0405611z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 21 8498011z", "lastactivity" "2023 05 09t16 24 21 8498011z", "title" "'cve 2020 0796' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2020 0796", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 09z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "52caa1d3061ee69bd51d235dfd88a52872fae5fa", "filename" "cve 2020 0796 x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2020 0796", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da93054c4c e0fe 4dd8 aa73 7e75562ed5cc 1", "provideralertid" "93054c4c e0fe 4dd8 aa73 7e75562ed5cc 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 10 040625z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 17 9910473z", "title" "'cve 2014 0497' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2014 0497", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 0733333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "4728e7851dba244df055965342b0443eb89a05a9", "filename" "vickers swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 0497", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da388b9ca3 88d9 4d17 ad16 f89aee88fa7b 1", "provideralertid" "388b9ca3 88d9 4d17 ad16 f89aee88fa7b 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 10 0419643z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 21 8498011z", "lastactivity" "2023 05 09t16 24 21 8498011z", "title" "'cathar' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "cathar", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 1066667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e5e17c80377294743b071ca02fa322e90a6bdd17", "filename" "cve 2020 0787 x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2020 0787", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 3133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "058ff4b4db97a24142b75eb4a4546df90377b09d", "filename" "cve 2020 0787 x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2020 0787", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daafedfbc5 9e95 4d8c 8a03 fac1d733570c 1", "provideralertid" "afedfbc5 9e95 4d8c 8a03 fac1d733570c 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 10 0420851z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 17 9910473z", "title" "'2014 4113' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "2014 4113", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 08z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "da89157954c4fada4b7780e5d7e7e976df361df3", "filename" "cve 2014 4113 x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 4113", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dac7c9c4b8 5705 4692 a2f2 421ce26f38df 1", "provideralertid" "c7c9c4b8 5705 4692 a2f2 421ce26f38df 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 10 0446584z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9910473z", "lastactivity" "2023 05 09t16 24 17 9910473z", "title" "'vagger' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "vagger", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 1733333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "81cf9cd812519d3c303fba4e1035d716fb44277a", "filename" "cve 2014 0257 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 0257", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dab0393f13 731a 48d4 ba33 906761c1308d 1", "provideralertid" "b0393f13 731a 48d4 ba33 906761c1308d 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 10 0682033z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 18 8502766z", "lastactivity" "2023 05 09t16 24 18 8502766z", "title" "'cve 2015 0318' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2015 0318", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 17z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0c928d246d947f8bb359f9ae186e4a9cef56469c", "filename" "main swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0318", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da07372971 749a 48a2 9d6c c82f28ceebb3 1", "provideralertid" "07372971 749a 48a2 9d6c c82f28ceebb3 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 10 4184389z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 15 5539725z", "lastactivity" "2023 05 09t16 24 21 8498011z", "title" "'ceevee' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "ceevee", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 10 4466667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b2ef9df56cb967935f2e794914b1fb61f693c110", "filename" "cve 2020 1048 exe x64 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2020 1048", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 0633333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "1ceef1027df0d41c5fae7fa159e7611c428bc83d", "filename" "cve 2016 0099 ps1", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2016 0099", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 16 9833333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "6bf1a880b7e1461aa6330c7423b91a10d4e396de", "filename" "processherpaderpingtemplate x86 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\evasion\\\windows\\\process herpaderping", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daa0eda778 373b 4d0d b505 3e8c2ff7c9c7 1", "provideralertid" "a0eda778 373b 4d0d b505 3e8c2ff7c9c7 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 0132064z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 18 8502766z", "lastactivity" "2023 05 09t16 24 18 8502766z", "title" "'cve 2015 3105' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2015 3105", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 14z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "ac0680736a1a25039fd0484b4d627bbe1cd97d59", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 3105", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 19z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e924be3506736cc65faca229113e89d8959c9e80", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0311", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 14z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "040dbbb9d20cb303894cc2d1755a588a106f9eaf", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0336", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 06z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "ee22409875455dc5bcddedd2173c8aed6b7d17b5", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 3090", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da6192d9a2 4582 453c b875 c4607f8a1dcd 1", "provideralertid" "6192d9a2 4582 453c b875 c4607f8a1dcd 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 0134436z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 18 8502766z", "lastactivity" "2023 05 09t16 24 18 8502766z", "title" "'cve 2015 2426' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2015 2426", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 1966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "9fb92a48a37cecf396813d7444263fc5630873c3", "filename" "reflective dll x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 2426", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da8c1b8fcc c352 4e3d b09c 74b11bfc5216 1", "provideralertid" "8c1b8fcc c352 4e3d b09c 74b11bfc5216 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 0140565z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 18 8502766z", "lastactivity" "2023 05 09t16 24 18 8502766z", "title" "'cve 2015 0336' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2015 0336", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 29z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8953fd17abfee98a3cf1153b55147f506cb22096", "filename" "trigger swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0336", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da69d674e9 8ad1 4d6f 919b b232a16ea2e2 1", "provideralertid" "69d674e9 8ad1 4d6f 919b b232a16ea2e2 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 0247375z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 22 6933679z", "lastactivity" "2023 05 09t16 24 22 6933679z", "title" "'drunzpkto' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "drunzpkto", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 2833333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "f0054bb408d9e0627dee00fd17dd3e24d050d9d0", "filename" "drunkpotato x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\drunkpotato", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da7119305a 32ac 429a 9c7e 03405de19187 1", "provideralertid" "7119305a 32ac 429a 9c7e 03405de19187 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 0803427z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 18 8502766z", "lastactivity" "2023 05 09t16 24 18 8502766z", "title" "'cve 2016 0040' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2016 0040", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 1333333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7ce1aea8ee4d5773eaaf4e7757d3901dfb20c363", "filename" "cve 2016 0040 x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2016 0040", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da58c07d8d 37d1 475e 8e1c 911afe28d606 1", "provideralertid" "58c07d8d 37d1 475e 8e1c 911afe28d606 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 0808023z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 22 6933679z", "lastactivity" "2023 05 09t16 24 22 6933679z", "title" "'donoff' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "donoff", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 13z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e22b96ad593a132257767d441d58cede08cd4ad0", "filename" "cve 2021 40444 js", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2021 40444", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dad36eb53c b394 4536 8268 75eb76785f9b 1", "provideralertid" "d36eb53c b394 4536 8268 75eb76785f9b 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 080845z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 22 6933679z", "lastactivity" "2023 05 09t16 24 22 6933679z", "title" "'superproflpe' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "superproflpe", "mitretechniques" \[ "t1068" ], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 1366667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7a22825c1d0d384b7a8852e328e4652416fe51c7", "filename" "cve 2022 26904 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2022 26904", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da2dfc8bc1 4c41 48cf 816c 7e038825e6fa 1", "provideralertid" "2dfc8bc1 4c41 48cf 816c 7e038825e6fa 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 0811377z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 20 6624755z", "lastactivity" "2023 05 09t16 24 20 6624755z", "title" "anomalous file write to a secure directory by an unprivileged process", "description" "an unprivileged process wrote a file to a secure directory under anomalous circumstances generally, such write events involve a local escalation of privilege (eop) exploit ", "category" "suspiciousactivity", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "6a5d6a78 e8ee 4a2e b698 9e3f3377e5e5", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 15z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "d48912156f4aa6fcf10350864676dbfc1c7dec58", "filename" "alpc tasksched lpe dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2018 8440", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da042438e7 2bbe 4dda 999c 56005e4715b8 1", "provideralertid" "042438e7 2bbe 4dda 999c 56005e4715b8 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 1206064z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 26 5989782z", "lastactivity" "2023 05 09t16 24 26 5989782z", "title" "'tamfer' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "tamfer", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 1833333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "f3296bc11abef57616062ace7feebab57f1243ab", "filename" "hostingclrx64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post\\\execute dotnet assembly", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daddab73cf 3efc 435a aadd b65109bba74c 1", "provideralertid" "ddab73cf 3efc 435a aadd b65109bba74c 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 1548292z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 18 8502766z", "lastactivity" "2023 05 09t16 24 18 8502766z", "title" "'kernelmemmod' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "kernelmemmod", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 24z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "6fad978455b75d6bfaf2de25fde88642c5bdfac9", "filename" "cve 2016 0051 x86 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2016 0051", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dafc082e3a 9054 41ed 91df e1ab23fbf68c 1", "provideralertid" "fc082e3a 9054 41ed 91df e1ab23fbf68c 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 2594369z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 21 8498011z", "lastactivity" "2023 05 09t16 24 21 8498011z", "title" "'cve 2020 1054' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2020 1054", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 3033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e445435b08d75a9415f38ba6b6310247e2247a3c", "filename" "exploit dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2020 1054", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daf43197f0 3c7a 4bea 895c e00534573600 1", "provideralertid" "f43197f0 3c7a 4bea 895c e00534573600 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 5866368z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 18 8502766z", "lastactivity" "2023 05 09t16 24 18 8502766z", "title" "'cve 2015 5119' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2015 5119", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 7166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0f6eb04a29a429883c7bc905a4d521111336b694", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 5119", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da8ddf7fa5 b059 48c6 a824 c921f667a8c0 1", "provideralertid" "8ddf7fa5 b059 48c6 a824 c921f667a8c0 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 6102054z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 22 6933679z", "lastactivity" "2023 05 09t16 24 22 6933679z", "title" "'cve 2023 21768' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2023 21768", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 6866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7f3b3e60a24c208dc7cf6c6ab8c58ce4fa081ca4", "filename" "cve 2023 21768 x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2023 21768", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da9d830ebe b977 4ac7 8e9f c01a0539c362 1", "provideralertid" "9d830ebe b977 4ac7 8e9f c01a0539c362 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 6103559z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 27 8799901z", "lastactivity" "2023 05 09t16 24 28 9111124z", "title" "'injector' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "injector", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 53z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "1e1528a559ac42a9ee58a0929dabdf1c91ec3963", "filename" "template x86 windows svc exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 6066667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "62088e4bac622d5fedd6a744efb82422e550ddd7", "filename" "template x86 windows dccw gdiplus 256kib dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 67z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "f98844e5dbaf9701220698918bae897ea912eadc", "filename" "template x64 windows dccw gdiplus 256kib dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 7466667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "4b7b39486ca49872ea98b78f1feb0abe22d1c50a", "filename" "template x86 windows dccw gdiplus dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 7833333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "72fae194390becd9416de7350123c41619ebca36", "filename" "template x64 windows dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 8233333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "86e6d90ce94e4c1a151c56ddac47b6b9b5c25927", "filename" "template x86 windows 256kib dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 8233333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "b520183fa606c1888fdec537705445b96881e165", "filename" "template x64 windows dccw gdiplus dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 0466667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "ada5a9e4a67bb186fbce384af666083d4745e21d", "filename" "template x64 windows 256kib dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daf707ee86 38a0 414a a9d2 3e979aa83f4f 1", "provideralertid" "f707ee86 38a0 414a a9d2 3e979aa83f4f 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 752746z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 22 6933679z", "lastactivity" "2023 05 09t16 24 22 6933679z", "title" "'cve 2022 21882' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2022 21882", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 7966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bddacce4011790b0f948a92bce6b89417b4d4532", "filename" "cve 2022 21882 x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2022 21882", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da5b449d4c b813 4d8b b8f6 e8f430dde34f 1", "provideralertid" "5b449d4c b813 4d8b b8f6 e8f430dde34f 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 7532236z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 23 5215787z", "lastactivity" "2023 05 09t16 24 23 5215787z", "title" "'potatohttploader' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "potatohttploader", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 7933333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "c479efd3dce64046a45d34eb867474ffdd037713", "filename" "juicypotato x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\juicypotato", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dad412f601 87d8 4801 8456 8b5df7c9cc75 1", "provideralertid" "d412f601 87d8 4801 8456 8b5df7c9cc75 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 12 7534234z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 28 9111124z", "lastactivity" "2023 05 09t16 24 28 9111124z", "title" "'metasploit' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "metasploit", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 12 7933333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "131786912c94f98fa043b8164371e9977848f0c3", "filename" "template x64 windows svc exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\templates", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daa144289f d64d 4ee6 8339 4d057a4b4b97 1", "provideralertid" "a144289f d64d 4ee6 8339 4d057a4b4b97 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 13 0031367z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 23 5215787z", "lastactivity" "2023 05 09t16 24 23 5215787z", "title" "'reverseshell' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "reverseshell", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 1733333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "c955912a1fccb4e1a30572074221976d3032d3d7", "filename" "powerfun ps1", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\powershell", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da6c5f6a53 99d3 4176 a7d4 64bb9f9d3f23 1", "provideralertid" "6c5f6a53 99d3 4176 a7d4 64bb9f9d3f23 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 13 0344836z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 23 5215787z", "lastactivity" "2023 05 09t16 24 23 5215787z", "title" "'wacatac' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "wacatac", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 21 1566667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "2ad0efc6eb1d92a6f9a0af9e08da0cb17592298e", "filename" "exploit dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\ntapphelpcachecontrol", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dacdce853c c7c7 46f0 86e8 58ac1871b744 1", "provideralertid" "cdce853c c7c7 46f0 86e8 58ac1871b744 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 14 4545569z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 20 6624755z", "lastactivity" "2023 05 09t16 24 20 6624755z", "title" "'cve 2018 8120' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2018 8120", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 53z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "60e6b60d4912c42a0b55ff3561cd7696ad158558", "filename" "cve 2018 8120x86 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2018 8120", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 14 56z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8b633d0a7fdb0705348b307676a061d4c94d4694", "filename" "cve 2018 8120x64 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2018 8120", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dac6ccb387 21af 4a9b 8939 ee91df7f50b0 1", "provideralertid" "c6ccb387 21af 4a9b 8939 ee91df7f50b0 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 14 7754459z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 15 5539725z", "lastactivity" "2023 05 09t16 24 15 5539725z", "title" "'herpaderping' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "herpaderping", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 16 8133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "889cfcc0ac2cd5932dc58b7fe500a45c3b5131c9", "filename" "processherpaderping x86 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\evasion\\\windows\\\process herpaderping", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 16 9833333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5e51fc3b75a2389f5f978884957c07199895669f", "filename" "processherpaderping x64 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\evasion\\\windows\\\process herpaderping", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da3a586fd9 ce9c 4df2 ae98 7c51a40ecca3 1", "provideralertid" "3a586fd9 ce9c 4df2 ae98 7c51a40ecca3 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 001388z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 23 5215787z", "lastactivity" "2023 05 09t16 24 23 5215787z", "title" "'cve 2016 9079' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2016 9079", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 0433333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "4a4eda4936ba479eca1ddc8e64b71de9047f937e", "filename" "worker js", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\firefox smil uaf", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da3f7e2610 4af3 4ca0 8c3a bde34409003b 1", "provideralertid" "3f7e2610 4af3 4ca0 8c3a bde34409003b 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 0260861z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 25 115162z", "lastactivity" "2023 05 09t16 24 25 115162z", "title" "'juicypotato' hacktool was detected", "description" "readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users when used by attackers, these tools are often installed without authorization and used to compromise targeted machines \n\nthese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots \n\nthis detection might indicate that microsoft defender antivirus has stopped the tool from being installed and used effectively however, it is prudent to check the machine for the files and processes associated with the detected tool ", "category" "malware", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "5ec617e4 67e1 44be a592 067be1d5b31d", "assignedto" null, "actorname" null, "threatfamilyname" "juicypotato", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 0966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "9f3d66223c01743ae43937a344f80e81edd0fc06", "filename" "rottenpotato x64 dll", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\rottenpotato", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da851c3ded ba86 4618 a5f5 8a8f0fad6860 1", "provideralertid" "851c3ded ba86 4618 a5f5 8a8f0fad6860 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 0262215z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'cve 2008 5499' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2008 5499", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 1033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "11b6d5420c41946f694e52c8b97cc149884ca11a", "filename" "cve 2008 5499 swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daa1ac72ac 610f 4b97 9b54 6b79d26a5c7e 1", "provideralertid" "a1ac72ac 610f 4b97 9b54 6b79d26a5c7e 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 0262618z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'ditertag' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "ditertag", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 08z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8c94c60a050311ead6a08cf66260701223455d67", "filename" "hta evasion hta", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dad516a5ea 81ef 4a29 bff1 2aa9ce18623d 1", "provideralertid" "d516a5ea 81ef 4a29 bff1 2aa9ce18623d 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 3529213z", "lastupdatedtime" "2023 05 09t16 26 26 88z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 25 3961026z", "lastactivity" "2023 05 09t16 24 27 8799901z", "title" "bloodhound post exploitation tool", "description" "bloodhound, a post exploitation open source reconnaissance tool, has been detected on this device bloodhound has been used in a wide range of documented attacks, including attacks involving state sponsored groups and groups associated with ransomware campaigns an attacker might be attempting to collect information about users, user sessions, groups, accounts, domain controller properties and permissions detections of bloodhound tools and activity should be thoroughly investigated ", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "2ee16d3e e768 47a9 94c5 9166017b666d", "assignedto" null, "actorname" null, "threatfamilyname" "sharphound", "mitretechniques" \[ "t1087" ], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 4033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5e6254ebcf8ea518716c6090658b89960f425ab3", "filename" "sharphound exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 5066667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "d38dd63277dbd5cbad714dd60c1ccf316723b726", "filename" "sharphound ps1", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post\\\powershell", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 26 8733333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5e6254ebcf8ea518716c6090658b89960f425ab3", "sha256" "1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4", "filename" "sharphound exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da0e7bffc2 d786 4a4c 89eb 5589a75b4969 1", "provideralertid" "0e7bffc2 d786 4a4c 89eb 5589a75b4969 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 3529974z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'cve 2008 5353' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2008 5353", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 4z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e5c446ebe1efec6b5784054768c2960b0033b3bf", "filename" "cve 2008 5353 jar", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da4fb127df e383 4ea2 a88f 0d2eaffc7a26 1", "provideralertid" "4fb127df e383 4ea2 a88f 0d2eaffc7a26 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 353008z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'cve 2010 3654' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2010 3654", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 3966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "695f23be17ee52b261918191c1ed9b69d017717f", "filename" "cve 2010 3654 swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da914d33ac edc7 4c65 bbbe fa13839a9025 1", "provideralertid" "914d33ac edc7 4c65 bbbe fa13839a9025 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 3561384z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 31 6293975z", "lastactivity" "2023 05 09t16 24 31 6293975z", "title" "'pasinjref' hacktool was detected", "description" "readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users when used by attackers, these tools are often installed without authorization and used to compromise targeted machines \n\nthese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots \n\nthis detection might indicate that microsoft defender antivirus has stopped the tool from being installed and used effectively however, it is prudent to check the machine for the files and processes associated with the detected tool ", "category" "malware", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "5ec617e4 67e1 44be a592 067be1d5b31d", "assignedto" null, "actorname" null, "threatfamilyname" "pasinjref", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 4z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "f58a6bb391e586d25920deea62ca5bfbfb9a09c2", "filename" "reflective dll arm dll", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\exploits\\\cve 2015 0016\\\bin", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daa4e324c8 51e2 4795 a6b4 ba57532c555c 1", "provideralertid" "a4e324c8 51e2 4795 a6b4 ba57532c555c 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 3569532z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 26 5989782z", "lastactivity" "2023 05 09t16 24 26 5989782z", "title" "'elevate' hacktool was detected", "description" "readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users when used by attackers, these tools are often installed without authorization and used to compromise targeted machines \n\nthese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots \n\nthis detection might indicate that microsoft defender antivirus has stopped the tool from being installed and used effectively however, it is prudent to check the machine for the files and processes associated with the detected tool ", "category" "malware", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "5ec617e4 67e1 44be a592 067be1d5b31d", "assignedto" null, "actorname" null, "threatfamilyname" "elevate", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 09z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "08af85f31499678205bf70280fafc421ea16c9e2", "filename" "bypassuac x86 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 41z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "f145181e095285feeb6897c9a6bd2e5f6585f294", "filename" "bypassuac x64 exe", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\post", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daf50ba549 b0ac 4813 98fe d1a71f5f58bb 1", "provideralertid" "f50ba549 b0ac 4813 98fe d1a71f5f58bb 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 3587427z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'cve 2010 1297' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2010 1297", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 41z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "fcfe976b44e6faa30eda4127ece73c5d51ddeeb5", "filename" "cve 2010 1297 swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dafc73f7f6 b5c2 4dc2 8c60 8a1cfd9fbc76 1", "provideralertid" "fc73f7f6 b5c2 4dc2 8c60 8a1cfd9fbc76 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 15 7449404z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'cve 2010 0822' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2010 0822", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 15 7833333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "9255c38bf09a94ca426178522a8c508b7452649b", "filename" "cve 2010 0822 xls", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "daeb0615af 5337 49ce be41 4a2847a5344b 1", "provideralertid" "eb0615af 5337 49ce be41 4a2847a5344b 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 16 958087z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'cve 2011 0611' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2011 0611", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 0433333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "a8dc9c92dc9221de99ad757bd53e3735c1778540", "filename" "cve 2011 0611 swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dadcb7b4e7 4afb 4461 a864 0ceee21c51b2 1", "provideralertid" "dcb7b4e7 4afb 4461 a864 0ceee21c51b2 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 17 2193291z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'cve 2011 2110' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2011 2110", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 17 3166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "d33182ab234ad7a1df095cb123299f61e06233fb", "filename" "cve 2011 2110 swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da118909be d90d 408e a237 4f81071455b8 1", "provideralertid" "118909be d90d 408e a237 4f81071455b8 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 17 3997012z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'shellcode' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "shellcode", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 19 4433333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "4885a88f8bc28b31bc1f200849d6036a3317dda7", "filename" "evasion shellcode js", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da76928d6a d535 4767 9a73 5265d5acb166 1", "provideralertid" "76928d6a d535 4767 9a73 5265d5acb166 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 17 457012z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 16 1319615z", "lastactivity" "2023 05 09t16 24 16 1319615z", "title" "'cve 2012 0779' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2012 0779", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 19 5z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "81b4610d01a6e5bc0f11dcb2295d53307fc9a217", "filename" "cve 2012 0779 swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da307f98cc 0dfe 47a5 9b70 030f9ea22260 1", "provideralertid" "307f98cc 0dfe 47a5 9b70 030f9ea22260 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 26 19 5154716z", "lastupdatedtime" "2023 05 09t16 26 23 3z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 17 9754152z", "lastactivity" "2023 05 09t16 24 17 9754152z", "title" "'cve 2014 0556' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "cve 2014 0556", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 26 19 5333333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "de7d105c387be5b8a72333411be16c5682c3b5ad", "filename" "msf swf", "filepath" "c \\\sample\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 0556", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da960e3e69 08b1 45c9 9150 f2c903a3be12 1", "provideralertid" "960e3e69 08b1 45c9 9150 f2c903a3be12 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 28 19 5971773z", "lastupdatedtime" "2023 05 09t16 28 20 1366667z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 58 8147996z", "lastactivity" "2023 05 09t16 24 58 8147996z", "title" "'blackhole' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "new", "severity" "low", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" null, "actorname" null, "threatfamilyname" "blackhole", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 19 63z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "27fbb6cd0d2666bc6c09b154ee17c6bdcdd17c0a", "filename" "property spray js", "filepath" "c \\\sample\\\embedded\\\lib\\\ruby\\\gems\\\3 0 0\\\gems\\\rex exploitation 0 1 38\\\data\\\js\\\memory", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 19 87z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3e99597fbb702507ff69475ffe2805ddd705bf48", "filename" "heap spray js", "filepath" "c \\\sample\\\embedded\\\lib\\\ruby\\\gems\\\3 0 0\\\gems\\\rex exploitation 0 1 38\\\data\\\js\\\memory", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "dac48ef314 be1a 4e42 9183 404d3deb46d9 1", "provideralertid" "c48ef314 be1a 4e42 9183 404d3deb46d9 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 28 19 6665583z", "lastupdatedtime" "2023 05 09t16 28 20 2z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 51 4712565z", "lastactivity" "2023 05 09t16 24 51 4712565z", "title" "'metsrv' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "metsrv", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 19 6966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "d287df13537f0c6013a65ce230a2a2973fdc1c23", "filename" "ext server stdapi py", "filepath" "c \\\sample\\\embedded\\\lib\\\ruby\\\gems\\\3 0 0\\\gems\\\metasploit payloads 2 0 130\\\data\\\meterpreter", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da2f06c04a 3a0f 44a6 87c2 3e9a2d93d869 1", "provideralertid" "2f06c04a 3a0f 44a6 87c2 3e9a2d93d869 1", "incidentid" 419, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 09t16 28 37 3982317z", "lastupdatedtime" "2023 05 09t16 28 41 36z", "resolvedtime" null, "firstactivity" "2023 05 09t16 24 38 3002917z", "lastactivity" "2023 05 09t16 24 38 3002917z", "title" "'dynamer' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" null, "actorname" null, "threatfamilyname" "dynamer", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 28 37 4366667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "625f051f74e9f0ac7a152dc9f137173422096ea8", "filename" "autoinf exe", "filepath" "c \\\sample\\\embedded\\\framework\\\external\\\source\\\pxesploit\\\autoinf\\\release", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] } ] }, { "incidentid" 423, "incidenturi" "https //security microsoft com/incidents/423?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "multiple threat families detected on multiple endpoints", "createdtime" "2023 05 07t13 25 22 4666667z", "lastupdatetime" "2023 05 09t16 26 23 1866667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "low", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 434, "incidenturi" "https //security microsoft com/incidents/434?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "'swrort' malware was detected on one endpoint", "createdtime" "2023 05 09t16 26 09 1566667z", "lastupdatetime" "2023 05 09t16 26 23 1866667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 435, "incidenturi" "https //security microsoft com/incidents/435?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "multiple threat families detected including ransomware on one endpoint", "createdtime" "2023 05 09t16 26 09 1566667z", "lastupdatetime" "2023 05 09t16 26 23 1866667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "high", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 436, "incidenturi" "https //security microsoft com/incidents/436?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "possible metasploit activity on one endpoint", "createdtime" "2023 05 09t16 26 11 9166667z", "lastupdatetime" "2023 05 09t16 26 23 1866667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "high", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 432, "incidenturi" "https //security microsoft com/incidents/432?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "suspicious activity incident on one endpoint", "createdtime" "2023 05 08t23 07 28 3366667z", "lastupdatetime" "2023 05 08t23 19 34 1z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da638191840477310951 2137449098", "provideralertid" "da638191840477310951 2137449098", "incidentid" 432, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 08t23 07 27 7311134z", "lastupdatedtime" "2023 05 09t16 25 21 32z", "resolvedtime" null, "firstactivity" "2023 05 08t23 05 48 5313733z", "lastactivity" "2023 05 09t16 23 28 5477192z", "title" "test2", "description" "test2", "category" "suspiciousactivity", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "customerti", "detectorid" "360fdb3b 18a9 471b 9ad0 ad80a4cbcb00", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 07 27 9433333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "filename" "c \\\users\\\ieuser\\\appdata\\\local\\\packages\\\microsoft microsoftedge 8wekyb3d8bbwe\\\ac\\\\#!001\\\microsoftedge\\\cache\\\l494h60m", "filepath" "c \\\users\\\ieuser\\\appdata\\\local\\\packages\\\microsoft microsoftedge 8wekyb3d8bbwe\\\ac\\\\#!001\\\microsoftedge\\\cache" }, { "entitytype" "user", "evidencecreationtime" "2023 05 08t23 07 28 2033333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "ieuser", "domainname" "se pov j2test", "usersid" "s 1 5 21 321011808 3761883066 353627080 1000" }, { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 07 28 2033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicar\[1] com", "filepath" "c \\\users\\\ieuser\\\appdata\\\local\\\packages\\\microsoft microsoftedge 8wekyb3d8bbwe\\\ac\\\\#!001\\\microsoftedge\\\cache\\\l494h60m", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "process", "evidencecreationtime" "2023 05 08t23 07 28 2033333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "dea5960571532f73d886f5dd79b0f7eed6f10582", "sha256" "34b6d32d2345db5dfe803573f4aa74479ea961004b2f72d25a486d55369aecd8", "filename" "microsoftedgecp exe", "filepath" "c \\\windows\\\system32", "processid" 3476, "processcommandline" "\\"microsoftedgecp exe\\" servername\ windows internal webruntime contentprocessserver", "processcreationtime" "2023 05 08t23 05 20 9209793z", "parentprocessid" 784, "parentprocesscreationtime" "2023 05 08t22 25 51 13342z", "parentprocessfilename" "svchost exe", "accountname" "ieuser", "domainname" "se pov j2test", "usersid" "s 1 5 21 321011808 3761883066 353627080 1000", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 19 33 8866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicar com", "filepath" "c \\\users\\\ieuser\\\appdata\\\local\\\temp\\\temp1 eicar com zip", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "process", "evidencecreationtime" "2023 05 08t23 19 33 8866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3eb9d6f8f4448cb1fd6478189edebe3d70477ea7", "sha256" "b759293373a11d1a972873a902bc64b2c9690ab947ce4a185cd047195521296d", "filename" "explorer exe", "filepath" "c \\\windows", "processid" 3924, "processcommandline" "explorer exe", "processcreationtime" "2023 05 08t22 25 53 5240016z", "parentprocessid" 3804, "parentprocesscreationtime" "2023 05 08t22 25 53 3248045z", "parentprocessfilename" "userinit exe", "accountname" "ieuser", "domainname" "se pov j2test", "usersid" "s 1 5 21 321011808 3761883066 353627080 1000", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 09t16 25 21 2433333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicar com", "filepath" "c \\\sample\\\embedded\\\framework\\\data", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] }, { "alertid" "da638191847736495360 162167123", "provideralertid" "da638191847736495360 162167123", "incidentid" 432, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 08t23 19 33 649558z", "lastupdatedtime" "2023 05 08t23 19 34 3833333z", "resolvedtime" null, "firstactivity" "2023 05 08t23 17 32 4253366z", "lastactivity" "2023 05 08t23 17 33 4410201z", "title" "test", "description" "test", "category" "suspiciousactivity", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedos", "classification" null, "determination" null, "detectionsource" "customerti", "detectorid" "360fdb3b 18a9 471b 9ad0 ad80a4cbcb00", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c", "aaddeviceid" null, "devicednsname" "se pov j2test", "osplatform" "other", "version" "other", "osprocessor" null, "osbuild" null, "healthstatus" "active", "riskscore" "high", "rbacgroupname" null, "firstseen" "2023 05 08t22 05 53 2746305z", "tags" \[], "defenderavstatus" "notsupported", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "ieuser", "domainname" "se pov j2test" } ] } ], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 08t23 19 33 82z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "ieuser", "domainname" "se pov j2test", "usersid" "s 1 5 21 321011808 3761883066 353627080 1000" }, { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 19 33 82z", "verdict" "suspicious", "remediationstatus" "none", "filename" "eicarcom2 zip 1ryeq5m partial", "filepath" "c \\\users\\\ieuser\\\downloads", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 19 33 82z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "sha256" "e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397", "filename" "eicarcom2 zip", "filepath" "c \\\users\\\ieuser\\\downloads", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "process", "evidencecreationtime" "2023 05 08t23 19 33 82z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8f1330d097a3a612dbbc7c1e39e1d1e2c06e6634", "sha256" "609a3a73a983a1c47511282d31d9fcfe7909950944ac5324344596215cd778aa", "filename" "browser broker exe", "filepath" "c \\\windows\\\system32", "processid" 8932, "processcommandline" "browser broker exe embedding", "processcreationtime" "2023 05 08t22 26 42 1658603z", "parentprocessid" 784, "parentprocesscreationtime" "2023 05 08t22 25 51 13342z", "parentprocessfilename" "svchost exe", "accountname" "ieuser", "domainname" "se pov j2test", "usersid" "s 1 5 21 321011808 3761883066 353627080 1000", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "file", "evidencecreationtime" "2023 05 08t23 19 34 0066667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "sha256" "e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397", "filename" "eicarcom2\[1] zip", "filepath" "c \\\users\\\ieuser\\\appdata\\\local\\\packages\\\microsoft microsoftedge 8wekyb3d8bbwe\\\ac\\\\#!001\\\microsoftedge\\\cache\\\x8vh15nv", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" }, { "entitytype" "process", "evidencecreationtime" "2023 05 08t23 19 34 0066667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "dea5960571532f73d886f5dd79b0f7eed6f10582", "sha256" "34b6d32d2345db5dfe803573f4aa74479ea961004b2f72d25a486d55369aecd8", "filename" "microsoftedgecp exe", "filepath" "c \\\windows\\\system32", "processid" 2984, "processcommandline" "\\"microsoftedgecp exe\\" servername\ windows internal webruntime contentprocessserver", "processcreationtime" "2023 05 08t23 16 20 5108024z", "parentprocessid" 784, "parentprocesscreationtime" "2023 05 08t22 25 51 13342z", "parentprocessfilename" "svchost exe", "accountname" "ieuser", "domainname" "se pov j2test", "usersid" "s 1 5 21 321011808 3761883066 353627080 1000", "detectionstatus" "detected", "deviceid" "743dba7b1e1c25bee62b16e88a039c9a2401a21c" } ] } ] }, { "incidentid" 433, "incidenturi" "https //security microsoft com/incidents/433?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "'eicar test file' malware was detected on one endpoint", "createdtime" "2023 05 08t23 09 34 81z", "lastupdatetime" "2023 05 08t23 10 30 98z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 431, "incidenturi" "https //security microsoft com/incidents/431?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "'skeeyah' malware was detected on one endpoint", "createdtime" "2023 05 08t08 50 22 2566667z", "lastupdatetime" "2023 05 08t08 50 23 8966667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 430, "incidenturi" "https //security microsoft com/incidents/430?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "malware was detected in a zip archive file during a scheduled scan on one endpoint", "createdtime" "2023 05 08t01 19 14 45z", "lastupdatetime" "2023 05 08t01 19 45 73z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 428, "incidenturi" "https //security microsoft com/incidents/428?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "initial access incident involving one user", "createdtime" "2023 05 07t19 18 31 26z", "lastupdatetime" "2023 05 07t21 14 17 2833333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ad777efcc2f062c0e97f883b3dfe462ec3109085a1", "provideralertid" "8d914a50cf8dd47548e4f527008d91d09db2fab2099f0eefa82a243f575d1246", "incidentid" 428, "servicesource" "aadidentityprotection", "creationtime" "2023 05 07t19 18 30 797651z", "lastupdatedtime" "2023 05 07t19 18 31 8333333z", "resolvedtime" null, "firstactivity" "2023 05 07t19 15 41 2600356z", "lastactivity" "2023 05 07t19 15 41 2600356z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, easid, tenantipsubnet", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 07t19 18 31z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 07t19 18 31z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "52 206 245 101" } ] }, { "alertid" "ad8cb24cb2593729f5d8839c2ae48d4b55a18ac74f", "provideralertid" "dce9aa40932d11f01da66abd756ae18fc0c90204dfcffd9655d4904ae5325832", "incidentid" 428, "servicesource" "aadidentityprotection", "creationtime" "2023 05 07t21 09 21 650881z", "lastupdatedtime" "2023 05 07t21 14 17 22z", "resolvedtime" null, "firstactivity" "2023 05 07t19 15 41 2600356z", "lastactivity" "2023 05 07t19 15 41 2600356z", "title" "atypical travel", "description" "sign in from an atypical location based on the user\u2019s recent sign ins", "category" "initialaccess", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "impossibletravel", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 07t21 09 21 8366667z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 07t21 09 21 8366667z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "52 206 245 101" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 07t21 09 21 8366667z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "172 58 7 42" } ] } ] }, { "incidentid" 429, "incidenturi" "https //security microsoft com/incidents/429?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 428, "incidentname" "atypical travel involving one user", "createdtime" "2023 05 07t21 09 22 06z", "lastupdatetime" "2023 05 07t21 14 17 14z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 427, "incidenturi" "https //security microsoft com/incidents/427?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "'shellcode' exploit malware was detected on one endpoint", "createdtime" "2023 05 07t15 15 10 33z", "lastupdatetime" "2023 05 07t15 17 03 47z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "low", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 424, "incidenturi" "https //security microsoft com/incidents/424?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "'skeeyah' malware was detected during a scheduled scan on one endpoint", "createdtime" "2023 05 07t13 25 22 4666667z", "lastupdatetime" "2023 05 07t13 27 18 71z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 425, "incidenturi" "https //security microsoft com/incidents/425?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "malware was detected in a zip archive file during a scheduled scan on one endpoint", "createdtime" "2023 05 07t13 25 22 4666667z", "lastupdatetime" "2023 05 07t13 27 18 71z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 426, "incidenturi" "https //security microsoft com/incidents/426?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "'cryptinject' malware was detected during a scheduled scan on one endpoint", "createdtime" "2023 05 07t13 25 22 4766667z", "lastupdatetime" "2023 05 07t13 27 18 71z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 411, "incidenturi" "https //security microsoft com/incidents/411?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "connection to a custom network indicator on one endpoint", "createdtime" "2023 04 28t15 26 21 75z", "lastupdatetime" "2023 05 07t04 29 49 64z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "daaee6e92d 64aa 478b aa9b 851c8890ef01 1", "provideralertid" "aee6e92d 64aa 478b aa9b 851c8890ef01 1", "incidentid" 411, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 28t15 26 21 1558311z", "lastupdatedtime" "2023 05 01t13 23 23 1066667z", "resolvedtime" null, "firstactivity" "2023 04 28t15 22 12 6050889z", "lastactivity" "2023 05 01t13 17 16 729907z", "title" "connection to a custom network indicator", "description" "an endpoint has connected to a url or domain in your list of custom indicators ", "category" "commandandcontrol", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "customerti", "detectorid" "08dfd06f d2e2 4049 899f 67b406311d84", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 04 28t15 26 21 4z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com" }, { "entitytype" "url", "evidencecreationtime" "2023 04 28t15 26 21 4z", "verdict" "suspicious", "remediationstatus" "active", "url" "https //www google com/" }, { "entitytype" "url", "evidencecreationtime" "2023 04 28t15 26 21 4z", "verdict" "suspicious", "remediationstatus" "active", "url" "www google com" }, { "entitytype" "process", "evidencecreationtime" "2023 04 28t15 26 21 4z", "verdict" "suspicious", "remediationstatus" "active", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 9828, "processcommandline" "\\"msedge exe\\" no startup window /prefetch 5", "processcreationtime" "2023 04 26t15 08 10 5463209z", "parentprocessid" 5112, "parentprocesscreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessfilename" "msedge exe", "parentprocessfilepath" "\\\device\\\harddiskvolume2\\\program files (x86)\\\microsoft\\\edge\\\application", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da0151ff7c d662 4f3a b924 ff2eff6b862e 1", "provideralertid" "0151ff7c d662 4f3a b924 ff2eff6b862e 1", "incidentid" 411, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 07t04 27 27 7716649z", "lastupdatedtime" "2023 05 07t06 31 08 9633333z", "resolvedtime" null, "firstactivity" "2023 05 07t04 24 58 3422466z", "lastactivity" "2023 05 07t06 29 28 83093z", "title" "connection to a custom network indicator", "description" "an endpoint has connected to a url or domain in your list of custom indicators ", "category" "commandandcontrol", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "customerti", "detectorid" "08dfd06f d2e2 4049 899f 67b406311d84", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 07t04 27 27 9933333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com" }, { "entitytype" "url", "evidencecreationtime" "2023 05 07t04 27 27 9933333z", "verdict" "suspicious", "remediationstatus" "none", "url" "https //www google com/" }, { "entitytype" "url", "evidencecreationtime" "2023 05 07t04 27 27 9933333z", "verdict" "suspicious", "remediationstatus" "none", "url" "www google com" }, { "entitytype" "process", "evidencecreationtime" "2023 05 07t04 27 27 9933333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3974cd2f9f3b43a3d219629f7e10c58f24d51dbd", "sha256" "bc37f2b0e6d5bb579d89a87b40c2d62ca01953d8968700cd17082f1bdfda6f61", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 7784, "processcommandline" "\\"msedge exe\\" profile directory=default", "processcreationtime" "2023 05 06t02 41 22 0069738z", "parentprocessid" 2176, "parentprocesscreationtime" "2023 05 06t02 41 04 4031743z", "parentprocessfilename" "explorer exe", "parentprocessfilepath" "\\\device\\\harddiskvolume2\\\windows", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 422, "incidenturi" "https //security microsoft com/incidents/422?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 411, "incidentname" "connection to a custom network indicator on one endpoint", "createdtime" "2023 05 07t04 27 28 2333333z", "lastupdatetime" "2023 05 07t04 29 49 2233333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 420, "incidenturi" "https //security microsoft com/incidents/420?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "'aicat' exploit malware was detected on one endpoint", "createdtime" "2023 05 06t22 56 50 5966667z", "lastupdatetime" "2023 05 06t22 57 41 7133333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "low", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 421, "incidenturi" "https //security microsoft com/incidents/421?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 419, "incidentname" "'cve 2014 0515' exploit malware was detected on one endpoint", "createdtime" "2023 05 06t22 56 50 6333333z", "lastupdatetime" "2023 05 06t22 57 41 7133333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "low", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 418, "incidenturi" "https //security microsoft com/incidents/418?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "'cobacis' malware was detected on one endpoint", "createdtime" "2023 05 05t00 49 23 8666667z", "lastupdatetime" "2023 05 05t01 08 07 45z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da9c5d442f 47e0 4f1c 90ea 5e724f1680bb 1", "provideralertid" "9c5d442f 47e0 4f1c 90ea 5e724f1680bb 1", "incidentid" 418, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 05t00 49 23 3880679z", "lastupdatedtime" "2023 05 05t01 08 07 45z", "resolvedtime" "2023 05 05t01 08 07 2708226z", "firstactivity" "2023 05 05t00 47 42 3098762z", "lastactivity" "2023 05 05t00 47 42 3098762z", "title" "'cobacis' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "resolved", "severity" "informational", "investigationid" 14, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" "automation", "actorname" null, "threatfamilyname" "cobacis", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 05 05t00 49 23 6133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "7324497bd4ccc7aab41103e7d80d408bd202fc5a", "sha256" "d1cbdf6f843f519230a65e74d569d4db1939d72fffbb31afe51a6469df514853", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 416, "incidenturi" "https //security microsoft com/incidents/416?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "initial access incident involving one user", "createdtime" "2023 05 04t12 50 02 1966667z", "lastupdatetime" "2023 05 04t15 35 54 44z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "adce1e62861447b96a8c28874d278a0222fd6db919", "provideralertid" "b75bcc1bc13d9e44c9f0e4984e19e1d9fd638420752d3306f7b5b24b55eba939", "incidentid" 416, "servicesource" "aadidentityprotection", "creationtime" "2023 05 04t12 50 01 7608721z", "lastupdatedtime" "2023 05 04t12 50 02 7266667z", "resolvedtime" null, "firstactivity" "2023 05 04t12 46 59 544816z", "lastactivity" "2023 05 04t12 46 59 544816z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 04t12 50 01 9466667z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 04t12 50 01 9466667z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "200 123 141 6" } ] }, { "alertid" "ad17ddfeca2c8ad9032bd3dffc539fe2671f217f80", "provideralertid" "f4d9f33e5236e667c0f9d7f1899e1d573d10ca7506ae44fa349b1779a7be8d6d", "incidentid" 416, "servicesource" "aadidentityprotection", "creationtime" "2023 05 04t15 29 47 9057895z", "lastupdatedtime" "2023 05 04t15 35 54 2933333z", "resolvedtime" null, "firstactivity" "2023 05 04t12 46 59 544816z", "lastactivity" "2023 05 04t12 46 59 544816z", "title" "atypical travel", "description" "sign in from an atypical location based on the user\u2019s recent sign ins", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "impossibletravel", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 04t15 29 48 14z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 04t15 29 48 14z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "200 123 141 6" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 04t15 29 48 14z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "172 56 96 43" } ] } ] }, { "incidentid" 417, "incidenturi" "https //security microsoft com/incidents/417?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 416, "incidentname" "atypical travel involving one user", "createdtime" "2023 05 04t15 29 50 5433333z", "lastupdatetime" "2023 05 04t15 35 54 2033333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "high", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 414, "incidenturi" "https //security microsoft com/incidents/414?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "initial access incident involving one user", "createdtime" "2023 05 04t07 45 08 9366667z", "lastupdatetime" "2023 05 04t10 24 43 7033333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ada522e9e5683a1632ab4b7be94f9748e9a70fe93a", "provideralertid" "c54373d0f72c4ee29ddcbedcff8c7da8225d618c6a9a7dd1a76c0122e9b1d121", "incidentid" 414, "servicesource" "aadidentityprotection", "creationtime" "2023 05 04t07 45 08 4800056z", "lastupdatedtime" "2023 05 04t07 45 09 45z", "resolvedtime" null, "firstactivity" "2023 05 04t07 41 18 833117z", "lastactivity" "2023 05 04t07 41 18 833117z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 04t07 45 08 6733333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 04t07 45 08 6733333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "27 6 26 149" } ] }, { "alertid" "ad003513be0ab559532d3b81d847b8b53f0e75a231", "provideralertid" "f9da7642fa8b73f3465c7c9786a69ebbdfdba760dc0ed7f3d26b7c05deda36e", "incidentid" 414, "servicesource" "aadidentityprotection", "creationtime" "2023 05 04t09 06 50 6966762z", "lastupdatedtime" "2023 05 04t10 24 43 4933333z", "resolvedtime" null, "firstactivity" "2023 05 04t07 41 18 833117z", "lastactivity" "2023 05 04t07 41 18 833117z", "title" "atypical travel", "description" "sign in from an atypical location based on the user\u2019s recent sign ins", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "impossibletravel", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 04t09 06 50 8733333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 04t09 06 50 8733333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "27 6 26 149" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 04t09 06 50 8733333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "8 29 228 38" } ] } ] }, { "incidentid" 415, "incidenturi" "https //security microsoft com/incidents/415?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 414, "incidentname" "atypical travel involving one user", "createdtime" "2023 05 04t09 06 51 2266667z", "lastupdatetime" "2023 05 04t10 24 43 3833333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "high", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 413, "incidenturi" "https //security microsoft com/incidents/413?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unused apps", "createdtime" "2023 05 04t04 30 11 6166667z", "lastupdatetime" "2023 05 04t04 30 11 7866667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "maa5be8ffc1517a68676a50bb27568b27ca3d73335401808f3c648d8b90ca391", "provideralertid" "a5be8ffc1517a68676a50bb27568b27ca3d73335401808f3c648d8b90ca391", "incidentid" 413, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 05 04t04 30 11 1415524z", "lastupdatedtime" "2023 05 04t04 30 12 1833333z", "resolvedtime" null, "firstactivity" "2023 05 04t04 21 28 117z", "lastactivity" "2023 05 04t04 21 28 117z", "title" "unused apps", "description" "the cloud app (ms ad graph app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=21d5826b 2176 482b 895b 3b067921c4d0\\">ms ad graph app\</a>", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 05 04t04 30 11 3566667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "21d5826b 2176 482b 895b 3b067921c4d0", "applicationname" "ms ad graph app" } ] } ] }, { "incidentid" 412, "incidenturi" "https //security microsoft com/incidents/412?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "connection to a custom network indicator on one endpoint", "createdtime" "2023 05 01t19 18 29 2466667z", "lastupdatetime" "2023 05 01t19 18 29 4666667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "dafc3894c7 9ed6 4d21 b990 7b858617fd8a 1", "provideralertid" "fc3894c7 9ed6 4d21 b990 7b858617fd8a 1", "incidentid" 412, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 05 01t19 18 27 6846556z", "lastupdatedtime" "2023 05 01t19 18 30 2733333z", "resolvedtime" null, "firstactivity" "2023 05 01t19 15 14 1182628z", "lastactivity" "2023 05 01t19 15 14 1182628z", "title" "connection to a custom network indicator", "description" "an endpoint has connected to a url or domain in your list of custom indicators ", "category" "commandandcontrol", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "customerti", "detectorid" "08dfd06f d2e2 4049 899f 67b406311d84", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 01t19 18 28 51z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com" }, { "entitytype" "url", "evidencecreationtime" "2023 05 01t19 18 28 51z", "verdict" "suspicious", "remediationstatus" "none", "url" "https //www facebook com/tr" }, { "entitytype" "url", "evidencecreationtime" "2023 05 01t19 18 28 51z", "verdict" "suspicious", "remediationstatus" "none", "url" "www facebook com" }, { "entitytype" "process", "evidencecreationtime" "2023 05 01t19 18 28 51z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 9828, "processcommandline" "\\"msedge exe\\" no startup window /prefetch 5", "processcreationtime" "2023 04 26t15 08 10 5463209z", "parentprocessid" 5112, "parentprocesscreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessfilename" "msedge exe", "parentprocessfilepath" "\\\device\\\harddiskvolume2\\\program files (x86)\\\microsoft\\\edge\\\application", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 410, "incidenturi" "https //security microsoft com/incidents/410?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unused app", "createdtime" "2023 04 27t04 23 23 3966667z", "lastupdatetime" "2023 04 27t04 23 23 5366667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ma50414212 6d7c 42d2 95d7 4269ad36e040", "provideralertid" "50414212 6d7c 42d2 95d7 4269ad36e040", "incidentid" 410, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 04 27t04 23 22 8797805z", "lastupdatedtime" "2023 04 27t04 23 24 0366667z", "resolvedtime" null, "firstactivity" "2023 04 27t04 22 51 027z", "lastactivity" "2023 04 27t04 22 51 027z", "title" "unused app", "description" "the cloud app (security alerts) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=be3de347 1cd7 4947 a1a4 b0ea71337486\\">security alerts\</a>", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 04 27t04 23 23 12z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "be3de347 1cd7 4947 a1a4 b0ea71337486", "applicationname" "security alerts" } ] } ] }, { "incidentid" 409, "incidenturi" "https //security microsoft com/incidents/409?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "multiple threat families detected on one endpoint", "createdtime" "2023 04 26t19 07 44 3133333z", "lastupdatetime" "2023 04 26t19 19 19 87z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "dac34692e9 5835 421c 8358 0393b3723ee8 1", "provideralertid" "c34692e9 5835 421c 8358 0393b3723ee8 1", "incidentid" 409, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 26t19 07 43 6314655z", "lastupdatedtime" "2023 04 26t19 19 19 87z", "resolvedtime" "2023 04 26t19 19 19 6865725z", "firstactivity" "2023 04 26t18 56 29 4275403z", "lastactivity" "2023 04 26t19 01 01 5342168z", "title" "'shellcode' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 13, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "api action", "actorname" null, "threatfamilyname" "shellcode", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 07 44 0133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8a0feaaa9d65588b2b9efdadf7b334a0f996032f", "sha256" "12784b3fe2e70ee17b20f0640c0bce26701e3f463884f86bb645e73ab8ab8124", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 07 44 3z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "4153d7617f1df3bacb98927f478fdda5f2a7003c", "sha256" "cc49aa4ad5482a95b3cef5e296951980aac74a9367bd4c6ae94dfae305dd4d75", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 08 24 29z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "5b3e9b0a9d4d5de278e41caf0103f1e645cb956d", "sha256" "183808c5082c7738f0d01dbc299bb5e28a71e5d45e607aca6fe102a6f639a445", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 08 24 4166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e3f8095c01dff061ce3902fe9bc1b0e3877f258a", "sha256" "7a281bd63bc5b04e1ded5ff42808b59d530577b26f3453a1b208c3a0bcfcc458", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 08 24 6866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8cbdc799070926a38deccf5812c3ff65ecdd33be", "sha256" "df8d023ada34fa97fc679b0ce3cb4065940bbf5ec80d57504dc37f8d9bf84991", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 08 24 8966667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "01340aa0f6efb9c1c67d22fe6f11f86613b02b6f", "sha256" "77dff28ef7ecb5e1a63cc48a0fd3b25be7278d23a3e2cca56a6487664f6108f3", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da5a9d6588 c19d 4830 890b dc56ee38c0c7 1", "provideralertid" "5a9d6588 c19d 4830 890b dc56ee38c0c7 1", "incidentid" 409, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 26t19 07 43 6797826z", "lastupdatedtime" "2023 04 26t19 09 51 96z", "resolvedtime" null, "firstactivity" "2023 04 26t18 56 29 42738z", "lastactivity" "2023 04 26t19 01 01 5335947z", "title" "meterpreter post exploitation tool", "description" "meterpreter, a post exploitation tool was detected on this device meterpreter is deployed using dll injection meterpreter was used in a wide range of documented attacks, including attacks involving state sponsored groups and groups associated with ransomware campaigns an attacker might be attempting to establish persistence, discover and steal credentials, or install and launch a payload in the device that might lead to further system compromise detections of meterpreter tools and activity should be thoroughly investigated ", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "f37b8bc2 cfd2 4a8e ac62 24a7df1e698c", "assignedto" null, "actorname" null, "threatfamilyname" "meterpreter", "mitretechniques" \[ "t1055 001" ], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 07 44 0133333z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3dd0cca8397a7863ac3113e20cb34e8e77e3c189", "sha256" "4bd6fc62a26c09c771ae664209f35767b5cfb8547694f3c54d83d97ccdbe3278", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 408, "incidenturi" "https //security microsoft com/incidents/408?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 409, "incidentname" "meterpreter post exploitation tool on one endpoint", "createdtime" "2023 04 26t19 07 44 3133333z", "lastupdatetime" "2023 04 26t19 09 51 89z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 406, "incidenturi" "https //security microsoft com/incidents/406?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "suspicious activity incident on one endpoint", "createdtime" "2023 04 26t15 08 36 3066667z", "lastupdatetime" "2023 04 26t15 35 48 8566667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da638181185158896391 633475706", "provideralertid" "da638181185158896391 633475706", "incidentid" 406, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 26t15 08 35 8761679z", "lastupdatedtime" "2023 04 26t15 35 48 4666667z", "resolvedtime" "2023 04 26t15 33 39 8027026z", "firstactivity" "2023 04 26t15 05 47 8062393z", "lastactivity" "2023 04 26t15 09 18 9337128z", "title" "test", "description" "test", "category" "suspiciousactivity", "status" "resolved", "severity" "informational", "investigationid" 12, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "customerti", "detectorid" "360fdb3b 18a9 471b 9ad0 ad80a4cbcb00", "assignedto" "api action", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[] } ], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 04 26t15 08 36 0666667z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 36 0666667z", "verdict" "suspicious", "remediationstatus" "notfound", "remediationstatusdetails" "the system cannot find the file specified ", "filename" "unconfirmed 500556 crdownload", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 36 0666667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "sha256" "e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 08 36 0666667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 5112, "processcommandline" "\\"msedge exe\\" no startup window win session start /prefetch 5", "processcreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessid" 4968, "parentprocesscreationtime" "2023 04 26t15 03 20 2885187z", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 08 36 5566667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 1840, "processcommandline" "\\"msedge exe\\" type=utility utility sub type=quarantine mojom quarantine lang=en us service sandbox type=none mojo platform channel handle=5820 field trial handle=2124,i,17699120498490175102,12163351567194471964,131072 /prefetch 8", "processcreationtime" "2023 04 26t15 05 47 7956542z", "parentprocessid" 5112, "parentprocesscreationtime" "2023 04 26t15 03 46 0480713z", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 37 1066667z", "verdict" "suspicious", "remediationstatus" "notfound", "remediationstatusdetails" "the system cannot find the file specified ", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "filename" "c \\\users\\\chris phillips\\\downloads", "filepath" "c \\\users\\\chris phillips" } ] }, { "alertid" "da638181185158896141 667602127", "provideralertid" "da638181185158896141 667602127", "incidentid" 406, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 26t15 08 35 8896313z", "lastupdatedtime" "2023 04 26t15 35 48 86z", "resolvedtime" "2023 04 26t15 35 48 6958753z", "firstactivity" "2023 04 26t15 05 50 4145357z", "lastactivity" "2023 04 26t15 08 15 3151687z", "title" "test2", "description" "test2", "category" "suspiciousactivity", "status" "resolved", "severity" "informational", "investigationid" 12, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "customerti", "detectorid" "360fdb3b 18a9 471b 9ad0 ad80a4cbcb00", "assignedto" "api action", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[] } ], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 04 26t15 08 36 46z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 36 46z", "verdict" "suspicious", "remediationstatus" "notfound", "remediationstatusdetails" "the system cannot find the file specified ", "filename" "unconfirmed 408530 crdownload", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 36 46z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicar com txt", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 08 36 46z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 5112, "processcommandline" "\\"msedge exe\\" no startup window win session start /prefetch 5", "processcreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessid" 4968, "parentprocesscreationtime" "2023 04 26t15 03 20 2885187z", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 08 36 86z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 10988, "processcommandline" "\\"msedge exe\\" type=utility utility sub type=quarantine mojom quarantine lang=en us service sandbox type=none mojo platform channel handle=3048 field trial handle=2124,i,17699120498490175102,12163351567194471964,131072 /prefetch 8", "processcreationtime" "2023 04 26t15 05 50 4046922z", "parentprocessid" 5112, "parentprocesscreationtime" "2023 04 26t15 03 46 0480713z", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 37 1466667z", "verdict" "suspicious", "remediationstatus" "notfound", "remediationstatusdetails" "the system cannot find the file specified ", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "filename" "c \\\users\\\chris phillips\\\downloads", "filepath" "c \\\users\\\chris phillips" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 10 35 01z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicar com", "filepath" "c \\\users\\\chris phillips\\\appdata\\\local\\\temp\\\temp1 eicar com zip", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 10 35 01z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3e3873d99586dd7d82c3d1f1495215383528d91d", "sha256" "95caa6b0b798ac401f463368415d1504951e09de21557d4106730223a4dd24c0", "filename" "explorer exe", "filepath" "c \\\windows", "processid" 4968, "processcommandline" "explorer exe", "processcreationtime" "2023 04 26t15 03 20 2885187z", "parentprocessid" 2088, "parentprocesscreationtime" "2023 04 26t15 03 19 1339605z", "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 407, "incidenturi" "https //security microsoft com/incidents/407?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "malware incident on one endpoint", "createdtime" "2023 04 26t15 20 11 08z", "lastupdatetime" "2023 04 26t15 35 48 8566667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da3e76d950 79f2 4050 b425 82fb969bc92a 1", "provideralertid" "3e76d950 79f2 4050 b425 82fb969bc92a 1", "incidentid" 407, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 26t15 20 10 6946z", "lastupdatedtime" "2023 04 26t15 35 48 86z", "resolvedtime" "2023 04 26t15 35 48 6958753z", "firstactivity" "2023 04 26t15 05 59 1225823z", "lastactivity" "2023 04 26t15 09 18 9337128z", "title" "'eicar test file' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "resolved", "severity" "informational", "investigationid" 12, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" "api action", "actorname" null, "threatfamilyname" "eicar test file", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 20 10 8666667z", "verdict" "malicious", "remediationstatus" "notfound", "remediationstatusdetails" "the system cannot find the file specified ", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "filename" "eicar com", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 20 11 75z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 20 12 1566667z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "d27265074c9eac2e2122ed69294dbc4d7cce9141", "filename" "eicar com zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 20 35 22z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "filename" "eicar com txt", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 25 00 04z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicar com txt", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da163c9003 bc7d 4649 89e3 dfdf927da744 1", "provideralertid" "163c9003 bc7d 4649 89e3 dfdf927da744 1", "incidentid" 407, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 26t15 25 00 2604342z", "lastupdatedtime" "2023 04 26t15 27 59 8566667z", "resolvedtime" null, "firstactivity" "2023 04 26t15 05 59 1225425z", "lastactivity" "2023 04 26t15 09 18 9067858z", "title" "malware was detected in a zip archive file", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "assignedto" null, "actorname" null, "threatfamilyname" "eicar test file", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 25 00 2866667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 404, "incidenturi" "https //security microsoft com/incidents/404?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "multiple threat families detected including ransomware on one endpoint", "createdtime" "2023 04 26t00 47 55 6833333z", "lastupdatetime" "2023 04 26t01 17 24 72z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da59278d48 685b 44bf 912c 7040e009cd03 1", "provideralertid" "59278d48 685b 44bf 912c 7040e009cd03 1", "incidentid" 404, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 26t00 47 55 268943z", "lastupdatedtime" "2023 04 26t01 17 24 7233333z", "resolvedtime" "2023 04 26t01 17 24 3340349z", "firstactivity" "2023 04 26t00 44 40 7717353z", "lastactivity" "2023 04 26t00 44 40 7717353z", "title" "'cve' ransomware was detected", "description" "ransomware use common methods to encrypt files using keys that are known only to attackers as a result, victims are unable to access the contents of the encrypted files most ransomware display or drop a ransom note\u2014an image or an html file that contains information about how to obtain the attacker supplied decryption tool for a fee \u00a0\u00a0 \n\nto target documents or other files that contain user data, some ransomware look for files in certain locations and files with certain extension names it is also common for ransomware to rename encrypted files so that they all use the same extension name \u00a0 \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "ransomware", "status" "resolved", "severity" "medium", "investigationid" 10, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "51d03c45 b142 4de4 95df 01b0c259d8f6", "assignedto" "api action", "actorname" null, "threatfamilyname" "cve", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 4466667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "3dd0cca8397a7863ac3113e20cb34e8e77e3c189", "sha256" "4bd6fc62a26c09c771ae664209f35767b5cfb8547694f3c54d83d97ccdbe3278", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "dae7ea088f df7c 4fd3 bc22 ace8b97ca26f 1", "provideralertid" "e7ea088f df7c 4fd3 bc22 ace8b97ca26f 1", "incidentid" 404, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 26t00 47 55 3387677z", "lastupdatedtime" "2023 04 26t01 17 24 7233333z", "resolvedtime" "2023 04 26t01 17 24 3340349z", "firstactivity" "2023 04 26t00 44 40 7715629z", "lastactivity" "2023 04 26t00 44 40 7717086z", "title" "'shellcode' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 10, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "api action", "actorname" null, "threatfamilyname" "shellcode", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 4666667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "4153d7617f1df3bacb98927f478fdda5f2a7003c", "sha256" "cc49aa4ad5482a95b3cef5e296951980aac74a9367bd4c6ae94dfae305dd4d75", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 67z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8a0feaaa9d65588b2b9efdadf7b334a0f996032f", "sha256" "12784b3fe2e70ee17b20f0640c0bce26701e3f463884f86bb645e73ab8ab8124", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 8z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "e3f8095c01dff061ce3902fe9bc1b0e3877f258a", "sha256" "7a281bd63bc5b04e1ded5ff42808b59d530577b26f3453a1b208c3a0bcfcc458", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 88z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "01340aa0f6efb9c1c67d22fe6f11f86613b02b6f", "sha256" "77dff28ef7ecb5e1a63cc48a0fd3b25be7278d23a3e2cca56a6487664f6108f3", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 9066667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "8cbdc799070926a38deccf5812c3ff65ecdd33be", "sha256" "df8d023ada34fa97fc679b0ce3cb4065940bbf5ec80d57504dc37f8d9bf84991", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 405, "incidenturi" "https //security microsoft com/incidents/405?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 404, "incidentname" "'cve' ransomware was detected including ransomware on one endpoint", "createdtime" "2023 04 26t00 47 55 6933333z", "lastupdatetime" "2023 04 26t00 47 59 9033333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 403, "incidenturi" "https //security microsoft com/incidents/403?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "'cve 2015 5122' exploit malware was detected on one endpoint", "createdtime" "2023 04 25t23 50 55 1z", "lastupdatetime" "2023 04 25t23 58 53 42z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "low", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da8b8b92a2 15ba 4e8f aa9d cd511e631542 1", "provideralertid" "8b8b92a2 15ba 4e8f aa9d cd511e631542 1", "incidentid" 403, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 25t23 50 54 7027655z", "lastupdatedtime" "2023 04 25t23 58 53 4233333z", "resolvedtime" "2023 04 25t23 58 53 254072z", "firstactivity" "2023 04 25t23 47 13 7141705z", "lastactivity" "2023 04 25t23 47 13 7141705z", "title" "'cve 2015 5122' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 9, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "api action", "actorname" null, "threatfamilyname" "cve 2015 5122", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 25t23 50 54 88z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "bd14a982b5e6ed862330de93d958a18186cb8a83", "sha256" "056ad35a15e7c054e1e1ca3874cdf48ccc6cc35418f389b30b79dffcbfaaf4d9", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 402, "incidenturi" "https //security microsoft com/incidents/402?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "exploit incident on one endpoint", "createdtime" "2023 04 25t23 28 57 0533333z", "lastupdatetime" "2023 04 25t23 36 18 13z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "low", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da7a7c9c2f 7d77 41d9 9d39 1b63b177b9dd 1", "provideralertid" "7a7c9c2f 7d77 41d9 9d39 1b63b177b9dd 1", "incidentid" 402, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 25t23 28 56 6170228z", "lastupdatedtime" "2023 04 25t23 36 18 13z", "resolvedtime" "2023 04 25t23 36 18 1157462z", "firstactivity" "2023 04 25t23 15 22 1010382z", "lastactivity" "2023 04 25t23 15 22 1010382z", "title" "'aicat' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 7, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "api action", "actorname" null, "threatfamilyname" "aicat", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 25t23 28 56 8166667z", "verdict" "suspicious", "remediationstatus" "none", "sha1" "0b884a0b72e389bb40e6efd88b3cf977d7410e45", "sha256" "cc9a1c9f982e04404567d73b6f0a19bfac43a63280c47f3fa94d64d24d1c544a", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da86171505 000f 409f 8e29 86bbc2bf423e 1", "provideralertid" "86171505 000f 409f 8e29 86bbc2bf423e 1", "incidentid" 402, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 25t23 28 56 741128z", "lastupdatedtime" "2023 04 25t23 36 08 7933333z", "resolvedtime" "2023 04 25t23 36 08 6865211z", "firstactivity" "2023 04 25t23 15 22 1010382z", "lastactivity" "2023 04 25t23 15 22 1010382z", "title" "'cve 2014 0515' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 8, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "api action", "actorname" null, "threatfamilyname" "cve 2014 0515", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 25t23 28 56 8166667z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "7d5ed7cddd2cbe580a88b90a89695216ef25e346", "sha256" "3c131569aaec7e3b313c8f03305d8eb8ef9915bbfe819c6d4a9b4b02f3f163ef", "filename" "49511ba5 691d 0155 986a aa43bb7c1426 1d973b113a34812", "filepath" "c \\\programdata\\\microsoft\\\windows defender\\\scans\\\filesstash", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 401, "incidenturi" "https //security microsoft com/incidents/401?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 402, "incidentname" "'cve 2014 0515' exploit malware was detected on one endpoint", "createdtime" "2023 04 25t23 28 57 0533333z", "lastupdatetime" "2023 04 25t23 31 48 31z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "low", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 400, "incidenturi" "https //security microsoft com/incidents/400?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "automated investigation started manually on one endpoint", "createdtime" "2023 04 25t22 52 12 0566667z", "lastupdatetime" "2023 04 25t22 58 00 55z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ar638180599315648136 73827727", "provideralertid" "ar638180599315648136 73827727", "incidentid" 400, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 25t22 52 11 5648315z", "lastupdatedtime" "2023 04 25t22 58 00 55z", "resolvedtime" "2023 04 25t22 58 00 4108067z", "firstactivity" "2023 04 25t22 52 11z", "lastactivity" "2023 04 25t22 52 11z", "title" "automated investigation started manually", "description" "se pov user(pov\@swimlaneintegrations onmicrosoft com) initiated an automated investigation on se pov desktop \n the investigation automatically identifies and reviews threat artifacts for possible remediation ", "category" "suspiciousactivity", "status" "resolved", "severity" "informational", "investigationid" 6, "investigationstate" "benign", "classification" null, "determination" null, "detectionsource" "automatedinvestigation", "detectorid" "5c6b7d86 c91f 4f8c 8aec 9d2086f46527", "assignedto" "api action", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "ip", "evidencecreationtime" "2023 04 25t22 52 11 7733333z", "verdict" "suspicious", "remediationstatus" "none" } ] } ] }, { "incidentid" 30, "incidenturi" "https //security microsoft com/incidents/30?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unfamiliar sign in properties involving one user", "createdtime" "2023 02 24t11 27 36 04z", "lastupdatetime" "2023 04 24t22 36 46 76z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ad404ca292298b6508cc92366d546589a09269c790", "provideralertid" "125b00fbb87b803f2e5187a8b6d2105fd2e553debcab8c069f75811bd4b9f2b0", "incidentid" 30, "servicesource" "aadidentityprotection", "creationtime" "2023 02 24t11 27 35 6044885z", "lastupdatedtime" "2023 04 24t22 36 46 7633333z", "resolvedtime" "2023 04 24t22 36 46 25z", "firstactivity" "2023 02 24t11 23 08 4728034z", "lastactivity" "2023 02 24t11 23 08 4728034z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 02 24t11 27 35 8066667z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 02 24t11 27 35 8066667z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "58 121 175 94" } ] } ] }, { "incidentid" 20, "incidenturi" "https //security microsoft com/incidents/20?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unfamiliar sign in properties involving one user", "createdtime" "2023 02 09t19 03 39 54z", "lastupdatetime" "2023 04 24t22 36 46 6966667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ada1730241267959178c8da1db13f10acc855d1a1a", "provideralertid" "7c1be09ef73c2954d8f348032d1c9c0ade5dc7b561352511ad6eb8289f928969", "incidentid" 20, "servicesource" "aadidentityprotection", "creationtime" "2023 02 09t19 03 38 8565489z", "lastupdatedtime" "2023 04 24t22 36 46 66z", "resolvedtime" "2023 04 24t22 36 46 25z", "firstactivity" "2023 02 09t19 00 47 7063714z", "lastactivity" "2023 02 09t19 00 47 7063714z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 02 09t19 03 39 14z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 02 09t19 03 39 14z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "35 80 199 84" } ] }, { "alertid" "ad7cdc884ea861ae4e2da60c93f1f65519e3c8e232", "provideralertid" "0a434d1cb4da41f2642ceabf224cf7a1a761640fd65511b9ca9232ba01ad84df", "incidentid" 20, "servicesource" "aadidentityprotection", "creationtime" "2023 02 09t19 32 04 5465595z", "lastupdatedtime" "2023 04 24t22 36 46 7z", "resolvedtime" "2023 04 24t22 36 46 1633333z", "firstactivity" "2023 02 09t19 28 47 9425823z", "lastactivity" "2023 02 09t19 28 47 9425823z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 02 09t19 32 04 7233333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 02 09t19 32 04 7233333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "54 212 126 200" } ] }, { "alertid" "ad29901ba07fdd0073edecc5747ac5a942a26997de", "provideralertid" "70cdce0febbbda5f7c436c460453e339ef51f93bd5c77630f852bd43423bbc7b", "incidentid" 20, "servicesource" "aadidentityprotection", "creationtime" "2023 02 09t19 38 17 0285653z", "lastupdatedtime" "2023 04 24t22 36 45 8033333z", "resolvedtime" "2023 04 24t22 36 45 4533333z", "firstactivity" "2023 02 09t19 35 00 2168753z", "lastactivity" "2023 02 09t19 35 00 2168753z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 02 09t19 38 17 11z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 02 09t19 38 17 11z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "35 86 16 230" } ] } ] }, { "incidentid" 15, "incidenturi" "https //security microsoft com/incidents/15?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unfamiliar sign in properties involving one user", "createdtime" "2023 02 01t19 15 02 6833333z", "lastupdatetime" "2023 04 24t22 36 46 4333333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ad3f457f04bd7d710c51c8de138cc66da147bcbaeb", "provideralertid" "8156c0b56ae4638eb268e94f8e967225cc6fa288a10e8597b9d2b7bfe9f7e13b", "incidentid" 15, "servicesource" "aadidentityprotection", "creationtime" "2023 02 01t19 15 02 1852943z", "lastupdatedtime" "2023 04 24t22 36 46 4333333z", "resolvedtime" "2023 04 24t22 36 45 9933333z", "firstactivity" "2023 02 01t19 12 38 6386889z", "lastactivity" "2023 02 01t19 12 38 6386889z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 02 01t19 15 02 4466667z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 02 01t19 15 02 4466667z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "190 84 116 193" } ] } ] }, { "incidentid" 18, "incidenturi" "https //security microsoft com/incidents/18?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unfamiliar sign in properties involving one user", "createdtime" "2023 02 08t16 40 33 5566667z", "lastupdatetime" "2023 04 24t22 36 46 4233333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "adf63dd06f695889f6be626a334e67213ee8e211b7", "provideralertid" "8dab22621d77a1b7595ecbf17794c6893cd58a992e97e931d667b7dd76ec805f", "incidentid" 18, "servicesource" "aadidentityprotection", "creationtime" "2023 02 08t16 40 32 9089426z", "lastupdatedtime" "2023 04 24t22 36 46 4233333z", "resolvedtime" "2023 04 24t22 36 46 0533333z", "firstactivity" "2023 02 08t16 11 07 5069368z", "lastactivity" "2023 02 08t16 11 07 5069368z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 02 08t16 40 33 24z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 02 08t16 40 33 24z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "119 93 220 93" } ] } ] }, { "incidentid" 384, "incidenturi" "https //security microsoft com/incidents/384?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "initial access incident involving one user", "createdtime" "2023 04 11t13 47 28 3466667z", "lastupdatetime" "2023 04 24t22 36 45 24z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ad0ec530b448610f9838fd92bdcbe4ba2e8715fa08", "provideralertid" "ec29cac8812299e2b4e92ed3b21c22d80b4c2e5cc4594692ecb2cf32560446a8", "incidentid" 384, "servicesource" "aadidentityprotection", "creationtime" "2023 04 11t13 47 27 664417z", "lastupdatedtime" "2023 04 24t22 36 45 2433333z", "resolvedtime" "2023 04 24t22 36 44 8533333z", "firstactivity" "2023 04 11t13 44 41 784118z", "lastactivity" "2023 04 11t13 44 41 784118z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 04 11t13 47 28 0033333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 04 11t13 47 28 0033333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "54 245 143 176" } ] }, { "alertid" "ada936fecbb62f0b8ec4a4289669a7d16941396028", "provideralertid" "591eacf5b4392ebb4318cdcdcc63a3ce60684a44cf5faa3c636c7ed39c7ab25f", "incidentid" 384, "servicesource" "aadidentityprotection", "creationtime" "2023 04 11t18 07 20 7813392z", "lastupdatedtime" "2023 04 24t22 36 16 71z", "resolvedtime" "2023 04 24t22 36 16 2433333z", "firstactivity" "2023 04 11t13 44 41 784118z", "lastactivity" "2023 04 11t13 44 41 784118z", "title" "atypical travel", "description" "sign in from an atypical location based on the user\u2019s recent sign ins", "category" "initialaccess", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "impossibletravel", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 04 11t18 07 21 0033333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 04 11t18 07 21 0033333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "54 245 143 176" }, { "entitytype" "ip", "evidencecreationtime" "2023 04 11t18 07 21 0033333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "192 228 201 32" } ] } ] }, { "incidentid" 32, "incidenturi" "https //security microsoft com/incidents/32?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "initial access incident involving one user", "createdtime" "2023 03 01t01 42 17 84z", "lastupdatetime" "2023 04 24t22 36 34 2666667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "adcd0093ca1894b83608939e415cdec50ee713fab4", "provideralertid" "651c7f69d7b9bfe1922963ff3581173c3c19e548e5277b77c14d4cc04ce7c46c", "incidentid" 32, "servicesource" "aadidentityprotection", "creationtime" "2023 03 01t01 42 17 3643777z", "lastupdatedtime" "2023 04 24t22 36 34 2666667z", "resolvedtime" "2023 04 24t22 36 33 9433333z", "firstactivity" "2023 03 01t01 38 54 2632968z", "lastactivity" "2023 03 01t01 38 54 2632968z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 03 01t01 42 17 5966667z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 03 01t01 42 17 5966667z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "106 72 137 96" } ] }, { "alertid" "ad2ad92556f0866dba8ca621a668b10320b8d8594c", "provideralertid" "5d4143ada8199736e86448470ace95ce556626990a91bf0c1fc4e48412b8f908", "incidentid" 32, "servicesource" "aadidentityprotection", "creationtime" "2023 03 01t04 29 00 1893023z", "lastupdatedtime" "2023 04 24t22 36 15 3633333z", "resolvedtime" "2023 04 24t22 36 14 9066667z", "firstactivity" "2023 03 01t01 38 54 2632968z", "lastactivity" "2023 03 01t01 38 54 2632968z", "title" "atypical travel", "description" "sign in from an atypical location based on the user\u2019s recent sign ins", "category" "initialaccess", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "impossibletravel", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 03 01t04 29 00 3666667z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 03 01t04 29 00 3666667z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "106 72 137 96" }, { "entitytype" "ip", "evidencecreationtime" "2023 03 01t04 29 00 3666667z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "58 121 175 94" } ] } ] }, { "incidentid" 27, "incidenturi" "https //security microsoft com/incidents/27?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "atypical travel involving one user", "createdtime" "2023 02 20t11 08 19 61z", "lastupdatetime" "2023 04 24t22 36 34 13z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "adcdd741fbd5e457db3808cc2d59273e1ae8a2a6ab", "provideralertid" "14a3bef4006cc6032b58348fd15b4b5c8c4c6ce54e029f03e2f8446f7e8520aa", "incidentid" 27, "servicesource" "aadidentityprotection", "creationtime" "2023 02 20t11 08 19 2009227z", "lastupdatedtime" "2023 04 24t22 36 34 1366667z", "resolvedtime" "2023 04 24t22 36 33 7433333z", "firstactivity" "2023 02 20t08 01 45 5716056z", "lastactivity" "2023 02 20t08 01 45 5716056z", "title" "atypical travel", "description" "sign in from an atypical location based on the user\u2019s recent sign ins", "category" "initialaccess", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "impossibletravel", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 02 20t11 08 19 41z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 02 20t11 08 19 41z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "54 212 71 42" }, { "entitytype" "ip", "evidencecreationtime" "2023 02 20t11 08 19 41z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "202 190 241 249" } ] } ] }, { "incidentid" 176, "incidenturi" "https //security microsoft com/incidents/176?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "initial access incident involving one user", "createdtime" "2023 03 22t16 36 16 0366667z", "lastupdatetime" "2023 04 24t22 36 16 5833333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "adc32b12725dcca56306a0504d152414edfa713eb6", "provideralertid" "7c58da3ce2957f2f7e85fef607cfb03a74900f1f9044926b2cf2e89726a8f646", "incidentid" 176, "servicesource" "aadidentityprotection", "creationtime" "2023 03 22t16 36 15 6233331z", "lastupdatedtime" "2023 04 24t22 36 04 2766667z", "resolvedtime" "2023 04 24t22 36 03 5233333z", "firstactivity" "2023 03 22t16 32 41 3278572z", "lastactivity" "2023 03 22t16 32 41 3278572z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 03 22t16 36 15 81z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t16 36 15 81z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c44b4083 3bb0 49c1 b47d 974e53cbdf3c" }, { "entitytype" "ip", "evidencecreationtime" "2023 03 22t16 36 15 81z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "191 81 64 188" } ] }, { "alertid" "ad712862513359b9b1b7dfc373ff45b7b8ef0b851b", "provideralertid" "73cd99db2c0030cc7855ed5305eeee059c09dc1fa9ab40f82e5aaf9e34e5ba8f", "incidentid" 176, "servicesource" "aadidentityprotection", "creationtime" "2023 03 22t19 43 55 6619142z", "lastupdatedtime" "2023 04 24t22 36 16 5833333z", "resolvedtime" "2023 04 24t22 36 16 2066667z", "firstactivity" "2023 03 22t16 32 41 3278572z", "lastactivity" "2023 03 22t16 32 41 3278572z", "title" "atypical travel", "description" "sign in from an atypical location based on the user\u2019s recent sign ins", "category" "initialaccess", "status" "resolved", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "impossibletravel", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 03 22t19 43 55 8233333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t19 43 55 8233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c44b4083 3bb0 49c1 b47d 974e53cbdf3c" }, { "entitytype" "ip", "evidencecreationtime" "2023 03 22t19 43 55 8233333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "191 81 64 188" }, { "entitytype" "ip", "evidencecreationtime" "2023 03 22t19 43 55 8233333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "96 79 235 37" } ] } ] }, { "incidentid" 26, "incidenturi" "https //security microsoft com/incidents/26?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unfamiliar sign in properties involving one user", "createdtime" "2023 02 20t08 04 51 4966667z", "lastupdatetime" "2023 04 24t22 36 15 8733333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "adb7d4123795d9193451fc4a703b9f57a376cb75a2", "provideralertid" "bb3b69c61dc67100cf3f19fd0f0b2ec58499c519f359fd9d7c53372aaded61c6", "incidentid" 26, "servicesource" "aadidentityprotection", "creationtime" "2023 02 20t08 04 51 069199z", "lastupdatedtime" "2023 04 24t22 36 15 8766667z", "resolvedtime" "2023 04 24t22 36 15 47z", "firstactivity" "2023 02 20t08 01 45 5716056z", "lastactivity" "2023 02 20t08 01 45 5716056z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 02 20t08 04 51 27z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "travis riley", "usersid" "s 1 12 1 2203744918 1310862935 187533957 4174603021", "aaduserid" "835a7a96 2e57 4e22 858a 2d0b0d63d3f8", "userprincipalname" "travis riley\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 02 20t08 04 51 27z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "54 212 71 42" } ] } ] }, { "incidentid" 398, "incidenturi" "https //security microsoft com/incidents/398?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "initial access incident involving one user", "createdtime" "2023 04 24t14 55 51 92z", "lastupdatetime" "2023 04 24t17 55 45 2333333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ad923ca30c3bba2e62a66117030716ce9da934891d", "provideralertid" "9d2de9f24d91b1ec970f3809e9a486cd8b6563019e969e57ebf7c624b9b82fc2", "incidentid" 398, "servicesource" "aadidentityprotection", "creationtime" "2023 04 24t14 55 49 3831635z", "lastupdatedtime" "2023 04 24t14 55 52 5966667z", "resolvedtime" null, "firstactivity" "2023 04 24t14 52 45 2576769z", "lastactivity" "2023 04 24t14 52 45 2576769z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 04 24t14 55 51 61z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 04 24t14 55 51 61z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "109 156 225 181" } ] }, { "alertid" "ad23d4e3b30d4636e69d81a9aff6fd0f98134bb24a", "provideralertid" "22a2cd2fc4138267f6d24f010cf20af652c3adda5f21e4b10c9b132381f51184", "incidentid" 398, "servicesource" "aadidentityprotection", "creationtime" "2023 04 24t17 52 13 9031591z", "lastupdatedtime" "2023 04 24t17 55 45 1066667z", "resolvedtime" null, "firstactivity" "2023 04 24t14 52 45 2576769z", "lastactivity" "2023 04 24t14 52 45 2576769z", "title" "atypical travel", "description" "sign in from an atypical location based on the user\u2019s recent sign ins", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "impossibletravel", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 04 24t17 52 14 1033333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 04 24t17 52 14 1033333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "109 156 225 181" }, { "entitytype" "ip", "evidencecreationtime" "2023 04 24t17 52 14 1033333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "172 58 243 4" } ] } ] }, { "incidentid" 399, "incidenturi" "https //security microsoft com/incidents/399?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 398, "incidentname" "atypical travel involving one user", "createdtime" "2023 04 24t17 52 14 38z", "lastupdatetime" "2023 04 24t17 55 44 9933333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "high", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 397, "incidenturi" "https //security microsoft com/incidents/397?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unused app", "createdtime" "2023 04 22t04 18 50 8666667z", "lastupdatetime" "2023 04 22t04 18 50 9833333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ma5f40ba65 eef8 4188 81de ff42c87bb60d", "provideralertid" "5f40ba65 eef8 4188 81de ff42c87bb60d", "incidentid" 397, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 04 22t04 18 50 4229194z", "lastupdatedtime" "2023 04 22t04 18 51 4z", "resolvedtime" null, "firstactivity" "2023 04 22t04 18 17 609z", "lastactivity" "2023 04 22t04 18 17 609z", "title" "unused app", "description" "the cloud app (jezawa testing email) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=b4d05094 e06d 49cd a9be 558fd7226575\\">jezawa testing email\</a>", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 04 22t04 18 50 6z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "b4d05094 e06d 49cd a9be 558fd7226575", "applicationname" "jezawa testing email" } ] } ] }, { "incidentid" 396, "incidenturi" "https //security microsoft com/incidents/396?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "exploit incident on one endpoint", "createdtime" "2023 04 19t22 03 08 29z", "lastupdatetime" "2023 04 19t22 17 02 9966667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "low", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da17fbbe7a a8fc 497d 8f87 7de15a27c2df 1", "provideralertid" "17fbbe7a a8fc 497d 8f87 7de15a27c2df 1", "incidentid" 396, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 19t22 03 07 7939898z", "lastupdatedtime" "2023 04 19t22 17 02 9966667z", "resolvedtime" "2023 04 19t22 17 02 7376611z", "firstactivity" "2023 04 19t22 01 16 2819441z", "lastactivity" "2023 04 19t22 01 16 2819441z", "title" "'cve 2015 0318' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 5, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "api action", "actorname" null, "threatfamilyname" "cve 2015 0318", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t22 03 07 9966667z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "0c928d246d947f8bb359f9ae186e4a9cef56469c", "sha256" "fae80e9142f46314a211047f2a047e37d09d053cf9063f3c4188d47f43f31e8d", "filename" "main swf", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0318", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "dae2edae68 dac2 41da a066 46a2bfbd2187 1", "provideralertid" "e2edae68 dac2 41da a066 46a2bfbd2187 1", "incidentid" 396, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 19t22 03 07 8698409z", "lastupdatedtime" "2023 04 19t22 17 02 9966667z", "resolvedtime" "2023 04 19t22 17 02 7376611z", "firstactivity" "2023 04 19t22 01 16 2819781z", "lastactivity" "2023 04 19t22 01 16 2819781z", "title" "'cve 2015 5122' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 5, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "api action", "actorname" null, "threatfamilyname" "cve 2015 5122", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t22 03 08 0633333z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "bd14a982b5e6ed862330de93d958a18186cb8a83", "sha256" "056ad35a15e7c054e1e1ca3874cdf48ccc6cc35418f389b30b79dffcbfaaf4d9", "filename" "msf swf", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 5122", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 392, "incidenturi" "https //security microsoft com/incidents/392?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "malware incident on one endpoint", "createdtime" "2023 04 19t13 42 13 6166667z", "lastupdatetime" "2023 04 19t18 28 28 84z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da0c7e089d 5ff6 4e04 8000 17f4e35fa783 1", "provideralertid" "0c7e089d 5ff6 4e04 8000 17f4e35fa783 1", "incidentid" 392, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 19t13 42 13 1851332z", "lastupdatedtime" "2023 04 19t13 42 14 3133333z", "resolvedtime" null, "firstactivity" "2023 04 19t13 30 57 9123134z", "lastactivity" "2023 04 19t13 30 57 9123134z", "title" "malware was detected in a zip archive file", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "category" "malware", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "assignedto" null, "actorname" null, "threatfamilyname" "eicar test file", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t13 42 13 3466667z", "verdict" "suspicious", "remediationstatus" "active", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da14ac5136 324c 4dd7 8e22 a880f7266da7 1", "provideralertid" "14ac5136 324c 4dd7 8e22 a880f7266da7 1", "incidentid" 392, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 19t13 43 49 3882906z", "lastupdatedtime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "firstactivity" "2023 04 19t13 30 57 913646z", "lastactivity" "2023 04 19t13 30 57 913646z", "title" "'eicar test file' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "resolved", "severity" "informational", "investigationid" 4, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" "api action", "actorname" null, "threatfamilyname" "eicar test file", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t13 43 49 46z", "verdict" "suspicious", "remediationstatus" "active", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 393, "incidenturi" "https //security microsoft com/incidents/393?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "multiple threat families detected on one endpoint", "createdtime" "2023 04 19t17 48 49 53z", "lastupdatetime" "2023 04 19t18 28 28 84z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "low", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "da36aabc3a 0496 4590 b652 a3b8dda1c7ef 1", "provideralertid" "36aabc3a 0496 4590 b652 a3b8dda1c7ef 1", "incidentid" 393, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 19t17 48 49 0574812z", "lastupdatedtime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "firstactivity" "2023 04 19t17 46 46 4770008z", "lastactivity" "2023 04 19t17 46 46 4770008z", "title" "'cve 2014 0515' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "exploit", "status" "resolved", "severity" "low", "investigationid" 4, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "assignedto" "api action", "actorname" null, "threatfamilyname" "cve 2014 0515", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t17 48 49 3066667z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "7d5ed7cddd2cbe580a88b90a89695216ef25e346", "sha256" "3c131569aaec7e3b313c8f03305d8eb8ef9915bbfe819c6d4a9b4b02f3f163ef", "filename" "msf swf", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 0515", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da1c42fa48 be2d 4820 9fb0 d39bde338a59 1", "provideralertid" "1c42fa48 be2d 4820 9fb0 d39bde338a59 1", "incidentid" 393, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 19t17 48 49 1062764z", "lastupdatedtime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "firstactivity" "2023 04 19t17 46 46 4770357z", "lastactivity" "2023 04 19t17 46 46 4770357z", "title" "'skeeyah' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "resolved", "severity" "informational", "investigationid" 4, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" "api action", "actorname" null, "threatfamilyname" "skeeyah", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t17 48 49 2933333z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "0b884a0b72e389bb40e6efd88b3cf977d7410e45", "sha256" "cc9a1c9f982e04404567d73b6f0a19bfac43a63280c47f3fa94d64d24d1c544a", "filename" "msf swf", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 3113", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] }, { "alertid" "da45985c2a 5b72 44af acf2 28f061e72059 1", "provideralertid" "45985c2a 5b72 44af acf2 28f061e72059 1", "incidentid" 393, "servicesource" "microsoftdefenderforendpoint", "creationtime" "2023 04 19t17 48 49 1682795z", "lastupdatedtime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "firstactivity" "2023 04 19t17 46 46 4770691z", "lastactivity" "2023 04 19t17 46 46 4770691z", "title" "'genmaldwn' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "category" "malware", "status" "resolved", "severity" "informational", "investigationid" 4, "investigationstate" "successfullyremediated", "classification" null, "determination" null, "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "assignedto" "api action", "actorname" null, "threatfamilyname" "genmaldwn", "mitretechniques" \[], "devices" \[ { "mdatpdeviceid" "556b3952acb0bff29816d267822305781cc183ec", "aaddeviceid" null, "devicednsname" "se pov desktop", "osplatform" "windows10", "version" "21h2", "osprocessor" "x64", "osbuild" 19044, "healthstatus" "active", "riskscore" "medium", "rbacgroupname" null, "firstseen" "2023 04 19t13 27 53 1618923z", "tags" \[ "test tag 2" ], "defenderavstatus" "updated", "onboardingstatus" "onboarded", "vmmetadata" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ] } ], "entities" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t17 48 49 2933333z", "verdict" "malicious", "remediationstatus" "remediated", "sha1" "919264563b8f04fd71127fa200bb7120c089acb6", "sha256" "2f8890164f092c36e0b2f7021a01b6051cf4fdfca637e7abae690a843d8cffbd", "filename" "postgres copy from program cmd exec md", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\documentation\\\modules\\\exploit\\\multi\\\postgres", "detectionstatus" "detected", "deviceid" "556b3952acb0bff29816d267822305781cc183ec" } ] } ] }, { "incidentid" 394, "incidenturi" "https //security microsoft com/incidents/394?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 393, "incidentname" "'skeeyah' malware was detected on one endpoint", "createdtime" "2023 04 19t17 48 49 5333333z", "lastupdatetime" "2023 04 19t17 50 57 1066667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 395, "incidenturi" "https //security microsoft com/incidents/395?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 393, "incidentname" "'cve 2014 0515' exploit malware was detected on one endpoint", "createdtime" "2023 04 19t17 48 49 5333333z", "lastupdatetime" "2023 04 19t17 50 57 1066667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "low", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 390, "incidenturi" "https //security microsoft com/incidents/390?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "initial access incident involving one user", "createdtime" "2023 04 17t18 53 49 98z", "lastupdatetime" "2023 04 17t21 44 38 01z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ad55b7cbdcdb53c26deaac8403ca57253e17f4e2de", "provideralertid" "8c0cbd817c3c9fb0e698712250365d54c32eed092734dc1ffc5fd2068a2012a0", "incidentid" 390, "servicesource" "aadidentityprotection", "creationtime" "2023 04 17t18 53 47 6107354z", "lastupdatedtime" "2023 04 17t18 53 50 5133333z", "resolvedtime" null, "firstactivity" "2023 04 17t18 50 00 3016207z", "lastactivity" "2023 04 17t18 50 00 3016207z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 04 17t18 53 47 7633333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 04 17t18 53 47 7633333z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "172 56 96 43" } ] }, { "alertid" "adaa42d14caeaeede7d8784aa5cd299c39bcda1f03", "provideralertid" "1a3c6fff313fbf2801f4237294cd4f9c7ce93359a22aedb8b27f701904f6e573", "incidentid" 390, "servicesource" "aadidentityprotection", "creationtime" "2023 04 17t21 41 26 3606238z", "lastupdatedtime" "2023 04 17t21 44 37 8466667z", "resolvedtime" null, "firstactivity" "2023 04 17t18 50 00 3016207z", "lastactivity" "2023 04 17t18 50 00 3016207z", "title" "atypical travel", "description" "sign in from an atypical location based on the user\u2019s recent sign ins", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "impossibletravel", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 04 17t21 41 26 55z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 04 17t21 41 26 55z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "172 56 96 43" }, { "entitytype" "ip", "evidencecreationtime" "2023 04 17t21 41 26 55z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "75 169 147 157" } ] } ] }, { "incidentid" 391, "incidenturi" "https //security microsoft com/incidents/391?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 390, "incidentname" "atypical travel involving one user", "createdtime" "2023 04 17t21 41 26 8833333z", "lastupdatetime" "2023 04 17t21 44 37 7466667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "high", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 386, "incidenturi" "https //security microsoft com/incidents/386?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unused app", "createdtime" "2023 04 17t13 25 09 6733333z", "lastupdatetime" "2023 04 17t13 29 01 8z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "mae30cf59d 60e0 45d2 be22 35f8c9c2719a", "provideralertid" "e30cf59d 60e0 45d2 be22 35f8c9c2719a", "incidentid" 386, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 04 17t13 25 07 0408325z", "lastupdatedtime" "2023 04 17t13 25 10 2333333z", "resolvedtime" null, "firstactivity" "2023 04 17t13 24 26 537z", "lastactivity" "2023 04 17t13 24 26 537z", "title" "unused app", "description" "the cloud app (spt 16600 test) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=d40cafce a698 4c37 9d4a 03ed026523bd\\">spt 16600 test\</a>", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 04 17t13 25 07 3766667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "d40cafce a698 4c37 9d4a 03ed026523bd", "applicationname" "spt 16600 test" } ] }, { "alertid" "mae75ecaae 8959 481e 90b2 9cf6034e753f", "provideralertid" "e75ecaae 8959 481e 90b2 9cf6034e753f", "incidentid" 386, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 04 17t13 25 15 268883z", "lastupdatedtime" "2023 04 17t13 29 01 4z", "resolvedtime" null, "firstactivity" "2023 04 17t13 24 26 537z", "lastactivity" "2023 04 17t13 24 26 537z", "title" "unused app", "description" "the cloud app (swimlane exchange) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=ddc1cf86 9262 4f0c ac75 976be4740a8a\\">swimlane exchange\</a>", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 04 17t13 25 15 3z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "ddc1cf86 9262 4f0c ac75 976be4740a8a", "applicationname" "swimlane exchange" } ] }, { "alertid" "ma708d7b41 64fc 4a9e 9a72 df43a66f6d81", "provideralertid" "708d7b41 64fc 4a9e 9a72 df43a66f6d81", "incidentid" 386, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 04 17t13 25 15 325479z", "lastupdatedtime" "2023 04 17t13 29 01 4z", "resolvedtime" null, "firstactivity" "2023 04 17t13 24 26 537z", "lastactivity" "2023 04 17t13 24 26 537z", "title" "unused app", "description" "the cloud app (ms graph) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=b20df696 5608 4e55 a4e1 c8e217cbe94a\\">ms graph\</a>", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 04 17t13 25 15 4z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "b20df696 5608 4e55 a4e1 c8e217cbe94a", "applicationname" "ms graph" } ] }, { "alertid" "ma58be77be e766 46e2 9052 9ddeef52c130", "provideralertid" "58be77be e766 46e2 9052 9ddeef52c130", "incidentid" 386, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 04 17t13 25 38 5262693z", "lastupdatedtime" "2023 04 17t13 29 01 4z", "resolvedtime" null, "firstactivity" "2023 04 17t13 24 26 537z", "lastactivity" "2023 04 17t13 24 26 537z", "title" "unused app", "description" "the cloud app (ff ad search) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=b9d33ed6 1e0b 474a 9ee8 a01b5082227b\\">ff ad search\</a>", "category" "suspiciousactivity", "status" "new", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 04 17t13 25 40 64z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "b9d33ed6 1e0b 474a 9ee8 a01b5082227b", "applicationname" "ff ad search" } ] } ] }, { "incidentid" 387, "incidenturi" "https //security microsoft com/incidents/387?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 386, "incidentname" "unused app", "createdtime" "2023 04 17t13 25 15 3966667z", "lastupdatetime" "2023 04 17t13 29 01 25z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 388, "incidenturi" "https //security microsoft com/incidents/388?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 386, "incidentname" "unused app", "createdtime" "2023 04 17t13 25 17 5z", "lastupdatetime" "2023 04 17t13 29 01 25z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 389, "incidenturi" "https //security microsoft com/incidents/389?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 386, "incidentname" "unused app", "createdtime" "2023 04 17t13 25 40 6866667z", "lastupdatetime" "2023 04 17t13 29 01 25z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 385, "incidenturi" "https //security microsoft com/incidents/385?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 384, "incidentname" "atypical travel involving one user", "createdtime" "2023 04 11t18 07 21 2866667z", "lastupdatetime" "2023 04 11t18 12 15 46z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 38, "incidenturi" "https //security microsoft com/incidents/38?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unused app", "createdtime" "2023 03 20t18 28 13 1066667z", "lastupdatetime" "2023 04 07t20 57 12 47z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ma36a692a7 f218 425f 9389 c317adcef391", "provideralertid" "36a692a7 f218 425f 9389 c317adcef391", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t18 28 12 1318787z", "lastupdatedtime" "2023 04 07t20 56 47 82z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t18 27 48 728z", "lastactivity" "2023 03 20t18 27 48 728z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t18 28 12 5166667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma90594b68 8b26 4006 bbc8 4b584c7814f5", "provideralertid" "90594b68 8b26 4006 bbc8 4b584c7814f5", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t18 28 17 3426568z", "lastupdatedtime" "2023 04 07t20 56 44 4966667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t18 27 48 728z", "lastactivity" "2023 03 20t18 27 48 728z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t18 28 17 3766667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma186a1c40 21fc 438c 8c60 cd808d90a621", "provideralertid" "186a1c40 21fc 438c 8c60 cd808d90a621", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t18 28 32 8056016z", "lastupdatedtime" "2023 04 07t20 56 42 56z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t18 27 48 728z", "lastactivity" "2023 03 20t18 27 48 728z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t18 28 32 8866667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "mab055ecdb c348 480d bc33 6ee251614c29", "provideralertid" "b055ecdb c348 480d bc33 6ee251614c29", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t19 30 38 2998356z", "lastupdatedtime" "2023 04 07t20 56 31 98z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t19 30 02 084z", "lastactivity" "2023 03 20t19 30 02 084z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t19 30 38 4433333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma6d6a4741 6860 4c87 96b7 bef950ae4847", "provideralertid" "6d6a4741 6860 4c87 96b7 bef950ae4847", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t19 30 38 4196929z", "lastupdatedtime" "2023 04 07t20 56 58 2533333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t19 30 02 084z", "lastactivity" "2023 03 20t19 30 02 084z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t19 30 38 5033333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma7e0ab21d 5ee4 4c0e b63a 9c4213361912", "provideralertid" "7e0ab21d 5ee4 4c0e b63a 9c4213361912", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t19 30 46 6234804z", "lastupdatedtime" "2023 04 07t20 56 37 57z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t19 30 02 084z", "lastactivity" "2023 03 20t19 30 02 084z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t19 30 46 6966667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "maa82364c4 ad2a 48c9 a369 c9676723a580", "provideralertid" "a82364c4 ad2a 48c9 a369 c9676723a580", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t20 13 38 95147z", "lastupdatedtime" "2023 04 07t20 56 47 75z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t20 12 53 332z", "lastactivity" "2023 03 20t20 12 53 332z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t20 13 39 15z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "mac87818bf 185f 47a9 a222 873c2021cc7d", "provideralertid" "c87818bf 185f 47a9 a222 873c2021cc7d", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t20 13 41 9969443z", "lastupdatedtime" "2023 04 07t20 57 05 7333333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t20 12 53 332z", "lastactivity" "2023 03 20t20 12 53 332z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t20 13 42 08z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma9ca58caf 999c 4773 b2cb cda0d36fcfd1", "provideralertid" "9ca58caf 999c 4773 b2cb cda0d36fcfd1", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t20 13 42 3286857z", "lastupdatedtime" "2023 04 07t20 56 42 1333333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t20 12 53 332z", "lastactivity" "2023 03 20t20 12 53 332z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t20 13 42 4066667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma8873a72e 58f7 4e3c a3a9 0a7608d61ba5", "provideralertid" "8873a72e 58f7 4e3c a3a9 0a7608d61ba5", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t21 32 27 6861018z", "lastupdatedtime" "2023 04 07t20 56 54 4466667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t21 31 49 571z", "lastactivity" "2023 03 20t21 31 49 571z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t21 32 27 8466667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma62af3faf 1d7b 4296 b9d2 6256212d7260", "provideralertid" "62af3faf 1d7b 4296 b9d2 6256212d7260", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t21 32 31 9495069z", "lastupdatedtime" "2023 04 07t20 56 58 5066667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t21 31 49 571z", "lastactivity" "2023 03 20t21 31 49 571z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t21 32 32 04z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "maffaf5645 543f 4685 bbb1 03c50d0508a8", "provideralertid" "ffaf5645 543f 4685 bbb1 03c50d0508a8", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t21 32 43 4723721z", "lastupdatedtime" "2023 04 07t20 56 39 58z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t21 31 49 571z", "lastactivity" "2023 03 20t21 31 49 571z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t21 32 43 5366667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "maf8b7bf59 5b19 4f93 bc1a def144bf79f6", "provideralertid" "f8b7bf59 5b19 4f93 bc1a def144bf79f6", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t22 19 23 3984245z", "lastupdatedtime" "2023 04 07t20 56 57 8833333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t22 18 52 841z", "lastactivity" "2023 03 20t22 18 52 841z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t22 19 23 55z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "mabb1e03e9 5717 42b9 be8c 3c70be84857a", "provideralertid" "bb1e03e9 5717 42b9 be8c 3c70be84857a", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t22 19 30 6099646z", "lastupdatedtime" "2023 04 07t20 57 02 4633333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t22 18 52 841z", "lastactivity" "2023 03 20t22 18 52 841z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t22 19 30 6466667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma81fbca51 4a05 4cfb b90a 1ce725f501af", "provideralertid" "81fbca51 4a05 4cfb b90a 1ce725f501af", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t22 19 34 0408916z", "lastupdatedtime" "2023 04 07t20 56 40 75z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t22 18 52 841z", "lastactivity" "2023 03 20t22 18 52 841z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t22 19 36 1233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma8d0041bd cdaa 4f05 a663 75fa9ad3b6ff", "provideralertid" "8d0041bd cdaa 4f05 a663 75fa9ad3b6ff", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t23 33 34 2704929z", "lastupdatedtime" "2023 04 07t20 56 42 13z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t23 32 22 72z", "lastactivity" "2023 03 20t23 32 22 72z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t23 33 34 4233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma167c6c01 5d0f 440f a72c f36ba023c71d", "provideralertid" "167c6c01 5d0f 440f a72c f36ba023c71d", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t23 33 36 5551239z", "lastupdatedtime" "2023 04 07t20 57 03 31z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t23 32 22 72z", "lastactivity" "2023 03 20t23 32 22 72z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t23 33 36 5833333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "maa615e5b6 be66 4e9d a7f0 472abe150701", "provideralertid" "a615e5b6 be66 4e9d a7f0 472abe150701", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 20t23 34 06 8492123z", "lastupdatedtime" "2023 04 07t20 56 35 1266667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 20t23 32 22 72z", "lastactivity" "2023 03 20t23 32 22 72z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 20t23 34 06 89z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma4064129e 57dc 4f82 b0cf b61d145a52fa", "provideralertid" "4064129e 57dc 4f82 b0cf b61d145a52fa", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t00 12 08 4713056z", "lastupdatedtime" "2023 04 07t20 56 53 11z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t00 11 37 616z", "lastactivity" "2023 03 21t00 11 37 616z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t00 12 08 6233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "mac573f3c7 3f35 474f a904 9da8f7ee00f0", "provideralertid" "c573f3c7 3f35 474f a904 9da8f7ee00f0", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t00 12 08 4990038z", "lastupdatedtime" "2023 04 07t20 57 05 0166667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t00 11 37 617z", "lastactivity" "2023 03 21t00 11 37 617z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t00 12 08 6566667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "madbbba3a9 5434 4b86 bf02 c6b53be4caef", "provideralertid" "dbbba3a9 5434 4b86 bf02 c6b53be4caef", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t00 12 22 4459147z", "lastupdatedtime" "2023 04 07t20 56 34 0366667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t00 11 37 617z", "lastactivity" "2023 03 21t00 11 37 617z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t00 12 22 48z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma0d17b881 5d6a 4c77 b9b3 2bdfaac51e72", "provideralertid" "0d17b881 5d6a 4c77 b9b3 2bdfaac51e72", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t01 35 29 2464821z", "lastupdatedtime" "2023 04 07t20 56 44 3466667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t01 35 00 489z", "lastactivity" "2023 03 21t01 35 00 489z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t01 35 29 4133333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma7193f3f4 bbb6 4884 99d0 2fd6d218232b", "provideralertid" "7193f3f4 bbb6 4884 99d0 2fd6d218232b", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t01 35 35 9606035z", "lastupdatedtime" "2023 04 07t20 57 00 9833333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t01 35 00 489z", "lastactivity" "2023 03 21t01 35 00 489z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t01 35 36 1433333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma5129dd93 5193 4b4c bc0c a6ff969a4a36", "provideralertid" "5129dd93 5193 4b4c bc0c a6ff969a4a36", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t01 35 52 5475583z", "lastupdatedtime" "2023 04 07t20 56 40 5333333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t01 35 00 489z", "lastactivity" "2023 03 21t01 35 00 489z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t01 35 52 7033333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma664ce18b 56b4 45c9 bad8 5da0f593e803", "provideralertid" "664ce18b 56b4 45c9 bad8 5da0f593e803", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t02 31 52 3425007z", "lastupdatedtime" "2023 04 07t20 56 40 7566667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t02 31 07 347z", "lastactivity" "2023 03 21t02 31 07 347z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t02 31 52 4833333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma59e6706f 417b 409b 81bd 7bede33867a7", "provideralertid" "59e6706f 417b 409b 81bd 7bede33867a7", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t02 31 55 9678795z", "lastupdatedtime" "2023 04 07t20 56 41 94z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t02 31 07 347z", "lastactivity" "2023 03 21t02 31 07 347z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t02 31 56 08z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma703e3481 6139 4866 bfe8 b0c02ed4ebb1", "provideralertid" "703e3481 6139 4866 bfe8 b0c02ed4ebb1", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t02 32 08 8126702z", "lastupdatedtime" "2023 04 07t20 56 30 24z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t02 31 07 347z", "lastactivity" "2023 03 21t02 31 07 347z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t02 32 08 89z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma1bb9d9c6 6515 40cb b84a e3d12287b8f7", "provideralertid" "1bb9d9c6 6515 40cb b84a e3d12287b8f7", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t03 10 06 3039227z", "lastupdatedtime" "2023 04 07t20 56 34 1133333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t03 09 37 501z", "lastactivity" "2023 03 21t03 09 37 501z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t03 10 06 48z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "maddeb5efb b2ae 4242 bdfa e218cbd5ed53", "provideralertid" "ddeb5efb b2ae 4242 bdfa e218cbd5ed53", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t03 10 38 6482799z", "lastupdatedtime" "2023 04 07t20 57 00 8033333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t03 09 37 501z", "lastactivity" "2023 03 21t03 09 37 501z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t03 10 38 73z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma36b8f2bc d75f 4cac 9746 6e7106337501", "provideralertid" "36b8f2bc d75f 4cac 9746 6e7106337501", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t03 10 39 3245974z", "lastupdatedtime" "2023 04 07t20 56 35 79z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t03 09 37 501z", "lastactivity" "2023 03 21t03 09 37 501z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t03 10 39 3666667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma8604f85a 409d 4459 8397 5b2fc7cd4fe8", "provideralertid" "8604f85a 409d 4459 8397 5b2fc7cd4fe8", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t04 31 40 8938988z", "lastupdatedtime" "2023 04 07t20 56 40 55z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t04 30 57 807z", "lastactivity" "2023 03 21t04 30 57 807z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t04 31 41 04z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "mae3041597 0490 41f5 a3df 0c94ebe41e57", "provideralertid" "e3041597 0490 41f5 a3df 0c94ebe41e57", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t04 31 44 9216838z", "lastupdatedtime" "2023 04 07t20 56 44 5233333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t04 30 57 807z", "lastactivity" "2023 03 21t04 30 57 807z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t04 31 45 0133333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma589ece26 bd0a 4dcb 89aa fde59cd3ca87", "provideralertid" "589ece26 bd0a 4dcb 89aa fde59cd3ca87", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t04 31 52 7530418z", "lastupdatedtime" "2023 04 07t20 56 42 89z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t04 30 57 807z", "lastactivity" "2023 03 21t04 30 57 807z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t04 31 52 8233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "maaf14ed60 ca05 497a 9c28 a4b27c5f50e0", "provideralertid" "af14ed60 ca05 497a 9c28 a4b27c5f50e0", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t05 10 29 8619687z", "lastupdatedtime" "2023 04 07t20 56 40 42z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t05 09 58 023z", "lastactivity" "2023 03 21t05 09 58 023z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t05 10 30 01z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "maa0b6e8f4 bcb8 468b bd8e 1c04ce30d1b0", "provideralertid" "a0b6e8f4 bcb8 468b bd8e 1c04ce30d1b0", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t05 10 31 265563z", "lastupdatedtime" "2023 04 07t20 56 53 13z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t05 09 58 023z", "lastactivity" "2023 03 21t05 09 58 023z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t05 10 31 38z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "maaec93430 8d58 4e01 b9ea 63ecbad861e9", "provideralertid" "aec93430 8d58 4e01 b9ea 63ecbad861e9", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t05 10 54 6266644z", "lastupdatedtime" "2023 04 07t20 57 00 83z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t05 09 58 023z", "lastactivity" "2023 03 21t05 09 58 023z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t05 10 54 6933333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma90a40fb6 de36 4cc1 9480 52b3116ad255", "provideralertid" "90a40fb6 de36 4cc1 9480 52b3116ad255", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t06 36 46 6688314z", "lastupdatedtime" "2023 04 07t20 56 32 73z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t06 36 14 398z", "lastactivity" "2023 03 21t06 36 14 398z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t06 36 46 8333333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "maa72c36d7 66ec 4bd4 80d2 cdceb3f7f7ed", "provideralertid" "a72c36d7 66ec 4bd4 80d2 cdceb3f7f7ed", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t06 37 06 1164009z", "lastupdatedtime" "2023 04 07t20 56 40 3333333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t06 36 14 398z", "lastactivity" "2023 03 21t06 36 14 398z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t06 37 06 1933333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma2a053a84 dd75 4280 aed6 dd0898f78c43", "provideralertid" "2a053a84 dd75 4280 aed6 dd0898f78c43", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t06 37 15 8316653z", "lastupdatedtime" "2023 04 07t20 56 30 3266667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t06 36 14 398z", "lastactivity" "2023 03 21t06 36 14 398z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t06 37 15 91z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma2b26e048 184b 4095 8ae5 5ba40c673399", "provideralertid" "2b26e048 184b 4095 8ae5 5ba40c673399", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t07 30 42 0077654z", "lastupdatedtime" "2023 04 07t20 57 03 3133333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t07 30 13 37z", "lastactivity" "2023 03 21t07 30 13 37z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t07 30 42 15z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma54482811 b72c 49e5 917d a525a3c8fdad", "provideralertid" "54482811 b72c 49e5 917d a525a3c8fdad", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t07 30 57 4506489z", "lastupdatedtime" "2023 04 07t20 57 04 6366667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t07 30 13 37z", "lastactivity" "2023 03 21t07 30 13 37z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t07 30 57 52z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma3b85d019 8547 42e5 979a 8b54b893001b", "provideralertid" "3b85d019 8547 42e5 979a 8b54b893001b", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t07 31 13 6391916z", "lastupdatedtime" "2023 04 07t20 56 58 1933333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t07 30 13 37z", "lastactivity" "2023 03 21t07 30 13 37z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t07 31 13 6733333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "mac1994815 f33c 4520 baf4 640b062dcfde", "provideralertid" "c1994815 f33c 4520 baf4 640b062dcfde", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t08 18 07 2500381z", "lastupdatedtime" "2023 04 07t20 56 23 98z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t08 17 40 943z", "lastactivity" "2023 03 21t08 17 40 943z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t08 18 07 39z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "maf9eae403 df92 4c34 b4c9 52e2b101d6dc", "provideralertid" "f9eae403 df92 4c34 b4c9 52e2b101d6dc", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t08 18 12 9998173z", "lastupdatedtime" "2023 04 07t20 56 47 7533333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t08 17 40 943z", "lastactivity" "2023 03 21t08 17 40 943z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t08 18 13 04z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "maa26a51f2 69e5 4a1c a1a5 d607736d87cd", "provideralertid" "a26a51f2 69e5 4a1c a1a5 d607736d87cd", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t08 18 35 1402134z", "lastupdatedtime" "2023 04 07t20 56 40 55z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t08 17 40 943z", "lastactivity" "2023 03 21t08 17 40 943z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t08 18 35 1733333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "maece929f7 d60a 4758 ad72 a1bc7ebb601b", "provideralertid" "ece929f7 d60a 4758 ad72 a1bc7ebb601b", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t09 29 38 6656146z", "lastupdatedtime" "2023 04 07t20 56 40 3466667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t09 29 09 722z", "lastactivity" "2023 03 21t09 29 09 722z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t09 29 38 81z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "maee42fc89 18a9 42c1 a904 3bf41730b034", "provideralertid" "ee42fc89 18a9 42c1 a904 3bf41730b034", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t09 29 43 6192496z", "lastupdatedtime" "2023 04 07t20 57 02 4633333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t09 29 09 722z", "lastactivity" "2023 03 21t09 29 09 722z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t09 29 43 6966667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "mad7db7187 5845 42e4 9ab0 08c61829c548", "provideralertid" "d7db7187 5845 42e4 9ab0 08c61829c548", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t09 29 46 8152944z", "lastupdatedtime" "2023 04 07t20 56 54 4933333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t09 29 09 722z", "lastactivity" "2023 03 21t09 29 09 722z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t09 29 46 8633333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma73027d15 76f6 4aa8 89be bddf77e07103", "provideralertid" "73027d15 76f6 4aa8 89be bddf77e07103", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t10 10 59 1479614z", "lastupdatedtime" "2023 04 07t20 56 53 0266667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t10 10 36 253z", "lastactivity" "2023 03 21t10 10 36 253z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t10 10 59 3233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma00856b1f 09b9 4d3c 8e12 8eaf6eefa3f0", "provideralertid" "00856b1f 09b9 4d3c 8e12 8eaf6eefa3f0", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t10 11 10 5774069z", "lastupdatedtime" "2023 04 07t20 56 42 4466667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t10 10 36 253z", "lastactivity" "2023 03 21t10 10 36 253z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t10 11 10 6966667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma6020abd5 6f8f 4060 b658 1cdc33cb7988", "provideralertid" "6020abd5 6f8f 4060 b658 1cdc33cb7988", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t10 11 40 3691814z", "lastupdatedtime" "2023 04 07t20 56 41 99z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t10 10 36 253z", "lastactivity" "2023 03 21t10 10 36 253z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t10 11 40 46z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma1d5a5d32 6378 4e78 9f93 e87c9dbafc99", "provideralertid" "1d5a5d32 6378 4e78 9f93 e87c9dbafc99", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t11 25 04 4714275z", "lastupdatedtime" "2023 04 07t20 56 39 9666667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t11 24 14 528z", "lastactivity" "2023 03 21t11 24 14 528z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t11 25 04 63z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma5ba55f3d 0d5e 4855 bffb 97823f646ab6", "provideralertid" "5ba55f3d 0d5e 4855 bffb 97823f646ab6", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t11 25 07 1191469z", "lastupdatedtime" "2023 04 07t20 57 03 3133333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t11 24 14 528z", "lastactivity" "2023 03 21t11 24 14 528z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t11 25 07 2066667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "mafa995a2b 779c 41db 99df 993eecbad604", "provideralertid" "fa995a2b 779c 41db 99df 993eecbad604", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t11 25 19 0353994z", "lastupdatedtime" "2023 04 07t20 56 36 9633333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t11 24 14 528z", "lastactivity" "2023 03 21t11 24 14 528z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t11 25 19 0633333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma353c073e 6178 4ed7 aa2b c519744a2fda", "provideralertid" "353c073e 6178 4ed7 aa2b c519744a2fda", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t12 27 20 6195199z", "lastupdatedtime" "2023 04 07t20 56 46 48z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t12 27 00 144z", "lastactivity" "2023 03 21t12 27 00 144z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t12 27 20 7633333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma7b198391 413e 4409 b3f0 55075cc9aac4", "provideralertid" "7b198391 413e 4409 b3f0 55075cc9aac4", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t12 27 29 3399174z", "lastupdatedtime" "2023 04 07t20 56 30 2866667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t12 27 00 144z", "lastactivity" "2023 03 21t12 27 00 144z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t12 27 29 4233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma794c1ea1 b785 4738 a195 2d57461f7e2d", "provideralertid" "794c1ea1 b785 4738 a195 2d57461f7e2d", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t12 27 55 4587445z", "lastupdatedtime" "2023 04 07t20 57 04 6633333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t12 27 00 144z", "lastactivity" "2023 03 21t12 27 00 144z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t12 27 55 54z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "mad7c20214 4d4e 4a0a 9b68 6502be7ddc25", "provideralertid" "d7c20214 4d4e 4a0a 9b68 6502be7ddc25", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t13 26 57 2825372z", "lastupdatedtime" "2023 04 07t20 56 52 4333333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t13 26 31 334z", "lastactivity" "2023 03 21t13 26 31 334z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t13 26 57 4966667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma5851f968 2004 47c2 9832 7bc0c191c8d1", "provideralertid" "5851f968 2004 47c2 9832 7bc0c191c8d1", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t13 27 25 8448713z", "lastupdatedtime" "2023 04 07t20 56 58 5933333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t13 26 31 334z", "lastactivity" "2023 03 21t13 26 31 334z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t13 27 25 92z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "mac89948d6 e82e 44cd 9259 d5292129a925", "provideralertid" "c89948d6 e82e 44cd 9259 d5292129a925", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t13 27 29 328219z", "lastupdatedtime" "2023 04 07t20 56 58 72z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t13 26 31 334z", "lastactivity" "2023 03 21t13 26 31 334z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t13 27 29 3766667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma5434cebf 9c8d 4644 897f ec08c7f4c2b8", "provideralertid" "5434cebf 9c8d 4644 897f ec08c7f4c2b8", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t14 31 00 4875455z", "lastupdatedtime" "2023 04 07t20 56 40 5233333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t14 30 18 262z", "lastactivity" "2023 03 21t14 30 18 262z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t14 31 00 7z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma948b7aed 658a 40d5 8937 9050eb94011c", "provideralertid" "948b7aed 658a 40d5 8937 9050eb94011c", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t14 31 20 616326z", "lastupdatedtime" "2023 04 07t20 56 53 2833333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t14 30 18 261z", "lastactivity" "2023 03 21t14 30 18 261z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t14 31 20 75z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma8ee7abd6 01c8 47d1 bccd 8e99f1a299d2", "provideralertid" "8ee7abd6 01c8 47d1 bccd 8e99f1a299d2", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t14 31 32 2412049z", "lastupdatedtime" "2023 04 07t20 57 00 6166667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t14 30 18 262z", "lastactivity" "2023 03 21t14 30 18 262z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t14 31 32 34z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma6bfcbd0a d164 4578 84ad c6e2a5396186", "provideralertid" "6bfcbd0a d164 4578 84ad c6e2a5396186", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t15 27 33 1417262z", "lastupdatedtime" "2023 04 07t20 56 50 5633333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t15 26 57 99z", "lastactivity" "2023 03 21t15 26 57 99z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t15 27 33 32z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma8d0d8352 cc65 47ca bec9 3dea7d07cd3a", "provideralertid" "8d0d8352 cc65 47ca bec9 3dea7d07cd3a", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t15 27 40 5055322z", "lastupdatedtime" "2023 04 07t20 56 46 64z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t15 26 57 99z", "lastactivity" "2023 03 21t15 26 57 99z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t15 27 40 54z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma43992308 6a1a 4f42 a6a4 40ea0aa8ea11", "provideralertid" "43992308 6a1a 4f42 a6a4 40ea0aa8ea11", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t15 27 43 6400663z", "lastupdatedtime" "2023 04 07t20 56 41 8933333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t15 26 57 991z", "lastactivity" "2023 03 21t15 26 57 991z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t15 27 43 6766667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "maa67b47fa b139 4b92 8f94 4029c16afcca", "provideralertid" "a67b47fa b139 4b92 8f94 4029c16afcca", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t16 31 36 3559672z", "lastupdatedtime" "2023 04 07t20 56 47 45z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t16 31 07 623z", "lastactivity" "2023 03 21t16 31 07 623z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t16 31 36 52z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma2a283d6a fc45 450f a70d 8860033b203c", "provideralertid" "2a283d6a fc45 450f a70d 8860033b203c", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t16 31 40 6470425z", "lastupdatedtime" "2023 04 07t20 57 04 6533333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t16 31 07 623z", "lastactivity" "2023 03 21t16 31 07 623z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t16 31 40 73z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma6b4b640c be54 4f38 b2e2 d44d9a9e43e4", "provideralertid" "6b4b640c be54 4f38 b2e2 d44d9a9e43e4", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t16 31 45 736938z", "lastupdatedtime" "2023 04 07t20 56 49 9833333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t16 31 07 623z", "lastactivity" "2023 03 21t16 31 07 623z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t16 31 45 7666667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma2157d1f0 d7dd 4b7d 9bb4 0a86a9f90389", "provideralertid" "2157d1f0 d7dd 4b7d 9bb4 0a86a9f90389", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t17 28 13 3001394z", "lastupdatedtime" "2023 04 07t20 56 52 33z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t17 27 40 753z", "lastactivity" "2023 03 21t17 27 40 753z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t17 28 13 46z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma807b7d98 5fd3 4fd4 a768 b470f88e4b5e", "provideralertid" "807b7d98 5fd3 4fd4 a768 b470f88e4b5e", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t17 28 18 0558435z", "lastupdatedtime" "2023 04 07t20 56 41 6733333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t17 27 40 753z", "lastactivity" "2023 03 21t17 27 40 753z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t17 28 20 1533333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma06d544b8 c216 4327 b1f9 94a6401d6e97", "provideralertid" "06d544b8 c216 4327 b1f9 94a6401d6e97", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t17 28 20 0770724z", "lastupdatedtime" "2023 04 07t20 56 54 4233333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t17 27 40 753z", "lastactivity" "2023 03 21t17 27 40 753z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t17 28 20 1533333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma96f7043a 4c70 4c23 a6f2 9e031346c9c7", "provideralertid" "96f7043a 4c70 4c23 a6f2 9e031346c9c7", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t18 28 45 1995841z", "lastupdatedtime" "2023 04 07t20 57 02 4233333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t18 28 01 751z", "lastactivity" "2023 03 21t18 28 01 751z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t18 28 45 3566667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma3ff68646 503a 421e 85b0 4730a243a699", "provideralertid" "3ff68646 503a 421e 85b0 4730a243a699", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t18 28 51 4002127z", "lastupdatedtime" "2023 04 07t20 56 46 8966667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t18 28 01 751z", "lastactivity" "2023 03 21t18 28 01 751z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t18 28 51 43z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma6ab50929 1ea9 4cb5 bbd8 5c280d5e09ee", "provideralertid" "6ab50929 1ea9 4cb5 bbd8 5c280d5e09ee", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t18 29 17 9807701z", "lastupdatedtime" "2023 04 07t20 57 02 35z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t18 28 01 751z", "lastactivity" "2023 03 21t18 28 01 751z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t18 29 18 06z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma1dc0b1bb 59a0 43c2 8988 5cf7c4fece97", "provideralertid" "1dc0b1bb 59a0 43c2 8988 5cf7c4fece97", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t19 39 25 7407952z", "lastupdatedtime" "2023 04 07t20 56 50 5166667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t19 34 04 893z", "lastactivity" "2023 03 21t19 34 04 893z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t19 39 25 9z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "mafb625f7b 4cbc 46cc b702 4bd70164c229", "provideralertid" "fb625f7b 4cbc 46cc b702 4bd70164c229", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t19 39 38 7402063z", "lastupdatedtime" "2023 04 07t20 56 42 3166667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t19 34 04 894z", "lastactivity" "2023 03 21t19 34 04 894z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t19 39 40 7866667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma54a84f7e 2f6a 451c 92a8 0a0b882d5aab", "provideralertid" "54a84f7e 2f6a 451c 92a8 0a0b882d5aab", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t19 39 45 7475482z", "lastupdatedtime" "2023 04 07t20 56 55 48z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t19 34 04 894z", "lastactivity" "2023 03 21t19 34 04 894z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t19 39 45 78z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma408c3588 162a 484b baf9 a021f40748a1", "provideralertid" "408c3588 162a 484b baf9 a021f40748a1", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t20 31 59 8521768z", "lastupdatedtime" "2023 04 07t20 56 47 56z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t20 27 43 489z", "lastactivity" "2023 03 21t20 27 43 489z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t20 32 00 0066667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma62d65f7d dfb9 4b2c a586 b75bd28b61bd", "provideralertid" "62d65f7d dfb9 4b2c a586 b75bd28b61bd", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t20 32 05 9912135z", "lastupdatedtime" "2023 04 07t20 56 46 65z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t20 27 43 489z", "lastactivity" "2023 03 21t20 27 43 489z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t20 32 08 11z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "mafb49c6e1 0318 407a a44a 69899cb1c6f6", "provideralertid" "fb49c6e1 0318 407a a44a 69899cb1c6f6", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t20 32 06 9010197z", "lastupdatedtime" "2023 04 07t20 56 54 1233333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t20 27 43 489z", "lastactivity" "2023 03 21t20 27 43 489z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t20 32 06 9833333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma746410f0 5eac 4c8c bfc9 1f3003a657ee", "provideralertid" "746410f0 5eac 4c8c bfc9 1f3003a657ee", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t21 25 05 3788273z", "lastupdatedtime" "2023 04 07t20 56 49 5433333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t21 24 38 134z", "lastactivity" "2023 03 21t21 24 38 134z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t21 25 05 5966667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma51dce697 e0b0 4738 ad87 af100331cb97", "provideralertid" "51dce697 e0b0 4738 ad87 af100331cb97", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t21 25 08 1233218z", "lastupdatedtime" "2023 04 07t20 56 46 6566667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t21 24 38 134z", "lastactivity" "2023 03 21t21 24 38 134z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t21 25 08 2z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma5d482a00 27e1 429b 93e7 4db815a02185", "provideralertid" "5d482a00 27e1 429b 93e7 4db815a02185", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t21 25 19 0358318z", "lastupdatedtime" "2023 04 07t20 56 30 1533333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t21 24 38 134z", "lastactivity" "2023 03 21t21 24 38 134z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t21 25 19 1366667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma824f049b 7cb5 47cc b1c4 5c3ffbaf463d", "provideralertid" "824f049b 7cb5 47cc b1c4 5c3ffbaf463d", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t22 15 20 3767382z", "lastupdatedtime" "2023 04 07t20 56 42 97z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t22 14 57 776z", "lastactivity" "2023 03 21t22 14 57 776z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t22 15 20 54z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma368d5396 4139 4c7e a364 3c1d60a31cb3", "provideralertid" "368d5396 4139 4c7e a364 3c1d60a31cb3", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t22 15 21 4776602z", "lastupdatedtime" "2023 04 07t20 57 04 5433333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t22 14 57 776z", "lastactivity" "2023 03 21t22 14 57 776z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t22 15 21 5633333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma35070877 09bd 4c36 a5d2 4cfaa40bb3db", "provideralertid" "35070877 09bd 4c36 a5d2 4cfaa40bb3db", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t22 15 27 919913z", "lastupdatedtime" "2023 04 07t20 56 46 9966667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t22 14 57 776z", "lastactivity" "2023 03 21t22 14 57 776z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t22 15 28 0166667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "mab9628666 5c9c 4096 b474 6f7fa07a17b2", "provideralertid" "b9628666 5c9c 4096 b474 6f7fa07a17b2", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t23 26 58 702806z", "lastupdatedtime" "2023 04 07t20 56 55 73z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t23 26 30 973z", "lastactivity" "2023 03 21t23 26 30 973z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t23 26 58 89z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "mab694b235 0309 4d57 960d 2a284fba29bc", "provideralertid" "b694b235 0309 4d57 960d 2a284fba29bc", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t23 26 59 6701393z", "lastupdatedtime" "2023 04 07t20 56 40 3233333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t23 26 30 973z", "lastactivity" "2023 03 21t23 26 30 973z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t23 26 59 73z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "macd71e6ab 64ae 4c53 8cf3 57548810b04a", "provideralertid" "cd71e6ab 64ae 4c53 8cf3 57548810b04a", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 21t23 27 07 8603064z", "lastupdatedtime" "2023 04 07t20 56 53 6733333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 21t23 26 30 973z", "lastactivity" "2023 03 21t23 26 30 973z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 21t23 27 07 9033333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "maec9db751 fa11 4c57 8b4d 5b85897d1a50", "provideralertid" "ec9db751 fa11 4c57 8b4d 5b85897d1a50", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t00 11 12 3092267z", "lastupdatedtime" "2023 04 07t20 56 50 5066667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t00 10 15 691z", "lastactivity" "2023 03 22t00 10 15 691z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t00 11 12 4633333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma57b0888a 4f6e 424c adca 23c6e6cfb746", "provideralertid" "57b0888a 4f6e 424c adca 23c6e6cfb746", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t00 11 13 617058z", "lastupdatedtime" "2023 04 07t20 56 46 6466667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t00 10 15 691z", "lastactivity" "2023 03 22t00 10 15 691z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t00 11 13 6566667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma30963f3a 3e18 4439 83fe e2c15f7d525a", "provideralertid" "30963f3a 3e18 4439 83fe e2c15f7d525a", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t00 11 38 8986123z", "lastupdatedtime" "2023 04 07t20 57 07 37z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t00 10 15 691z", "lastactivity" "2023 03 22t00 10 15 691z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t00 11 38 9766667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "maa51ca167 d179 4d79 87b2 6193d3f5f9b5", "provideralertid" "a51ca167 d179 4d79 87b2 6193d3f5f9b5", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t01 26 24 4396813z", "lastupdatedtime" "2023 04 07t20 56 45 2533333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t01 25 57 786z", "lastactivity" "2023 03 22t01 25 57 786z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t01 26 24 6z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "macd4a6281 b727 45b0 bc8e 53161063faf5", "provideralertid" "cd4a6281 b727 45b0 bc8e 53161063faf5", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t01 26 31 3570908z", "lastupdatedtime" "2023 04 07t20 56 47 12z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t01 25 57 786z", "lastactivity" "2023 03 22t01 25 57 786z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t01 26 31 43z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma6c692149 90d1 4c52 b7a2 0d584dcd065d", "provideralertid" "6c692149 90d1 4c52 b7a2 0d584dcd065d", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t01 26 43 0581554z", "lastupdatedtime" "2023 04 07t20 56 54 26z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t01 25 57 786z", "lastactivity" "2023 03 22t01 25 57 786z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t01 26 43 13z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma562cc69b 1030 4549 b74d 68dbb63ea6a3", "provideralertid" "562cc69b 1030 4549 b74d 68dbb63ea6a3", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t02 23 49 1605942z", "lastupdatedtime" "2023 04 07t20 56 37 21z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t02 23 13 476z", "lastactivity" "2023 03 22t02 23 13 476z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t02 23 49 3366667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma4d8537e0 b209 4f16 a8e7 cb25d58bc98e", "provideralertid" "4d8537e0 b209 4f16 a8e7 cb25d58bc98e", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t02 23 57 4318633z", "lastupdatedtime" "2023 04 07t20 57 01 5833333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t02 23 13 476z", "lastactivity" "2023 03 22t02 23 13 476z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t02 23 57 4533333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma764c6a37 bc6a 4e79 bce3 25089e876a66", "provideralertid" "764c6a37 bc6a 4e79 bce3 25089e876a66", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t02 24 11 6358956z", "lastupdatedtime" "2023 04 07t20 56 41 67z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t02 23 13 476z", "lastactivity" "2023 03 22t02 23 13 476z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t02 24 11 7133333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "mab1826123 e465 49f4 a5ca 9cfe5755d138", "provideralertid" "b1826123 e465 49f4 a5ca 9cfe5755d138", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t03 31 54 1462257z", "lastupdatedtime" "2023 04 07t20 56 47 12z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t03 31 24 698z", "lastactivity" "2023 03 22t03 31 24 698z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t03 31 54 32z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma3b8c4163 647f 47a2 abf5 9a521efe3455", "provideralertid" "3b8c4163 647f 47a2 abf5 9a521efe3455", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t03 31 54 7577027z", "lastupdatedtime" "2023 04 07t20 56 42 3133333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t03 31 24 698z", "lastactivity" "2023 03 22t03 31 24 698z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t03 31 54 82z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "mac18b6abb cd8f 4568 94b5 ef1b385fd981", "provideralertid" "c18b6abb cd8f 4568 94b5 ef1b385fd981", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t03 31 56 5796008z", "lastupdatedtime" "2023 04 07t20 56 35 0633333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t03 31 24 698z", "lastactivity" "2023 03 22t03 31 24 698z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t03 31 56 68z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "mae88c366b 021f 4773 8c31 7793630e4b3d", "provideralertid" "e88c366b 021f 4773 8c31 7793630e4b3d", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t04 32 46 31733z", "lastupdatedtime" "2023 04 07t20 56 55 7233333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t04 32 07 689z", "lastactivity" "2023 03 22t04 32 07 689z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t04 32 46 46z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma3b2a8014 b89f 4b85 8630 e380bbd849e6", "provideralertid" "3b2a8014 b89f 4b85 8630 e380bbd849e6", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t04 32 47 3783269z", "lastupdatedtime" "2023 04 07t20 56 58 71z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t04 32 07 689z", "lastactivity" "2023 03 22t04 32 07 689z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t04 32 47 42z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "macabe7ec2 6e66 44ce b265 375d5c5b2c71", "provideralertid" "cabe7ec2 6e66 44ce b265 375d5c5b2c71", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t04 32 53 499049z", "lastupdatedtime" "2023 04 07t20 56 53 7833333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t04 32 07 689z", "lastactivity" "2023 03 22t04 32 07 689z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t04 32 53 5466667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma362b7037 6960 4330 97c3 b23e4569602b", "provideralertid" "362b7037 6960 4330 97c3 b23e4569602b", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t05 17 47 2017524z", "lastupdatedtime" "2023 04 07t20 56 39 58z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t05 17 13 492z", "lastactivity" "2023 03 22t05 17 13 492z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t05 17 47 36z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma8e36048b aadc 42e0 826a fc6b1c0e7ec7", "provideralertid" "8e36048b aadc 42e0 826a fc6b1c0e7ec7", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t05 17 48 9728208z", "lastupdatedtime" "2023 04 07t20 56 58 5233333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t05 17 13 492z", "lastactivity" "2023 03 22t05 17 13 492z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t05 17 49 0466667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma15378f90 333a 4ecb 9f42 983f1220dce6", "provideralertid" "15378f90 333a 4ecb 9f42 983f1220dce6", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t05 17 52 6598464z", "lastupdatedtime" "2023 04 07t20 56 47 1433333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t05 17 13 492z", "lastactivity" "2023 03 22t05 17 13 492z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t05 17 52 7233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma07dc456e 3392 414e a263 088bb461ab0f", "provideralertid" "07dc456e 3392 414e a263 088bb461ab0f", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t06 26 24 7069019z", "lastupdatedtime" "2023 04 07t20 57 04 9566667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t06 26 05 352z", "lastactivity" "2023 03 22t06 26 05 352z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t06 26 24 87z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma24b5494a b7a2 49f6 83c1 0bdd0466d216", "provideralertid" "24b5494a b7a2 49f6 83c1 0bdd0466d216", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t06 26 39 4157846z", "lastupdatedtime" "2023 04 07t20 56 46 8633333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t06 26 05 352z", "lastactivity" "2023 03 22t06 26 05 352z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t06 26 39 4866667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma7cacd2f5 339d 4572 aa1d 738bed48f571", "provideralertid" "7cacd2f5 339d 4572 aa1d 738bed48f571", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t06 26 40 5987551z", "lastupdatedtime" "2023 04 07t20 56 53 79z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t06 26 05 352z", "lastactivity" "2023 03 22t06 26 05 352z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t06 26 42 6566667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "mac1955edf a52e 4666 943a ad65eca25d68", "provideralertid" "c1955edf a52e 4666 943a ad65eca25d68", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t07 22 02 3874519z", "lastupdatedtime" "2023 04 07t20 56 44 3633333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t07 21 31 515z", "lastactivity" "2023 03 22t07 21 31 515z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t07 22 02 6366667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma3c0796d8 2aed 4eae 95d6 8e29a7f9ffb7", "provideralertid" "3c0796d8 2aed 4eae 95d6 8e29a7f9ffb7", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t07 22 02 9223524z", "lastupdatedtime" "2023 04 07t20 56 51 8466667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t07 21 31 515z", "lastactivity" "2023 03 22t07 21 31 515z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t07 22 03z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma42a0d567 7286 41be 907c 78e2ae60e4cf", "provideralertid" "42a0d567 7286 41be 907c 78e2ae60e4cf", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t07 22 20 9303693z", "lastupdatedtime" "2023 04 07t20 56 48 1733333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t07 21 31 515z", "lastactivity" "2023 03 22t07 21 31 515z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t07 22 21z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma2d7a2e77 ab52 4549 9d67 d766b34b8e0b", "provideralertid" "2d7a2e77 ab52 4549 9d67 d766b34b8e0b", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t08 33 37 1274736z", "lastupdatedtime" "2023 04 07t20 56 45 2566667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t08 33 00 885z", "lastactivity" "2023 03 22t08 33 00 885z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t08 33 37 2833333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "maad7db716 5edb 45e6 9dca ac9bdcfdab02", "provideralertid" "ad7db716 5edb 45e6 9dca ac9bdcfdab02", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t08 33 38 3038002z", "lastupdatedtime" "2023 04 07t20 56 50 9033333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t08 33 00 885z", "lastactivity" "2023 03 22t08 33 00 885z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t08 33 38 4066667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma3fabd91e 29f4 467e a425 ad425b20cc79", "provideralertid" "3fabd91e 29f4 467e a425 ad425b20cc79", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t08 33 46 4418102z", "lastupdatedtime" "2023 04 07t20 56 54 35z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t08 33 00 885z", "lastactivity" "2023 03 22t08 33 00 885z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t08 33 46 5133333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma1c6daa59 5378 4f8a a349 f1164940b08f", "provideralertid" "1c6daa59 5378 4f8a a349 f1164940b08f", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t09 11 43 8993539z", "lastupdatedtime" "2023 04 07t20 56 30 29z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t09 11 09 43z", "lastactivity" "2023 03 22t09 11 09 43z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t09 11 44 0533333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma40ba9469 91e8 4d2b 9f57 57518e75344f", "provideralertid" "40ba9469 91e8 4d2b 9f57 57518e75344f", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t09 11 48 8804475z", "lastupdatedtime" "2023 04 07t20 57 04 97z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t09 11 09 43z", "lastactivity" "2023 03 22t09 11 09 43z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t09 11 48 96z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "maef85aa73 3642 4163 b6ff d78f586ee2ab", "provideralertid" "ef85aa73 3642 4163 b6ff d78f586ee2ab", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t09 11 52 9672317z", "lastupdatedtime" "2023 04 07t20 56 44 36z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t09 11 09 43z", "lastactivity" "2023 03 22t09 11 09 43z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t09 11 53 0566667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma5840ffd7 9390 4503 9569 93851da9039a", "provideralertid" "5840ffd7 9390 4503 9569 93851da9039a", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t10 31 29 9166364z", "lastupdatedtime" "2023 04 07t20 56 45 25z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t10 30 56 526z", "lastactivity" "2023 03 22t10 30 56 526z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t10 31 30 13z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma1507a5ae e47c 4312 8bf5 eafc35a74922", "provideralertid" "1507a5ae e47c 4312 8bf5 eafc35a74922", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t10 31 43 7655663z", "lastupdatedtime" "2023 04 07t20 56 54 8033333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t10 30 56 526z", "lastactivity" "2023 03 22t10 30 56 526z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t10 31 45 9z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma2982f2fb eaaa 49a6 9918 b3caf0be47ad", "provideralertid" "2982f2fb eaaa 49a6 9918 b3caf0be47ad", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t10 31 54 5382904z", "lastupdatedtime" "2023 04 07t20 56 45 44z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t10 30 56 526z", "lastactivity" "2023 03 22t10 30 56 526z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t10 31 54 65z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma7d9cefc8 dda4 400e 89ca ed9eab336c22", "provideralertid" "7d9cefc8 dda4 400e 89ca ed9eab336c22", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t11 10 44 4234821z", "lastupdatedtime" "2023 04 07t20 56 36 9766667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t11 10 10 258z", "lastactivity" "2023 03 22t11 10 10 258z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t11 10 44 5166667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma41f11b52 4602 4257 98b6 74e2f1e3c9bd", "provideralertid" "41f11b52 4602 4257 98b6 74e2f1e3c9bd", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t11 10 46 5750505z", "lastupdatedtime" "2023 04 07t20 56 55 2266667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t11 10 10 258z", "lastactivity" "2023 03 22t11 10 10 258z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t11 10 46 6733333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma9b994be0 a966 48d2 8358 86393da9ae00", "provideralertid" "9b994be0 a966 48d2 8358 86393da9ae00", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t11 10 55 5886194z", "lastupdatedtime" "2023 04 07t20 57 04 95z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t11 10 10 258z", "lastactivity" "2023 03 22t11 10 10 258z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t11 10 55 6333333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "macb62eaaf c1cd 4f91 873d ff39424ab565", "provideralertid" "cb62eaaf c1cd 4f91 873d ff39424ab565", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t12 30 25 1898803z", "lastupdatedtime" "2023 04 07t20 56 47 2566667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t12 29 56 707z", "lastactivity" "2023 03 22t12 29 56 707z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t12 30 25 3366667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma9263267e 87b9 43d3 b69d fdbeff4a83ee", "provideralertid" "9263267e 87b9 43d3 b69d fdbeff4a83ee", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t12 30 25 2385435z", "lastupdatedtime" "2023 04 07t20 56 38 03z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t12 29 56 707z", "lastactivity" "2023 03 22t12 29 56 707z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t12 30 25 3333333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "mac81554ab 41bf 49f5 8d40 1122135bd92d", "provideralertid" "c81554ab 41bf 49f5 8d40 1122135bd92d", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t12 30 48 0249201z", "lastupdatedtime" "2023 04 07t20 56 36 9666667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t12 29 56 707z", "lastactivity" "2023 03 22t12 29 56 707z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t12 30 48 0966667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma3d3db8ea baf2 4d72 b142 ccd5850f3eab", "provideralertid" "3d3db8ea baf2 4d72 b142 ccd5850f3eab", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t13 32 29 0762379z", "lastupdatedtime" "2023 04 07t20 56 44 55z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t13 31 46 803z", "lastactivity" "2023 03 22t13 31 46 803z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t13 32 29 2466667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma964d987e 46ad 49e3 97b6 f8409d6741d1", "provideralertid" "964d987e 46ad 49e3 97b6 f8409d6741d1", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t13 32 31 4434834z", "lastupdatedtime" "2023 04 07t20 56 49 0766667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t13 31 46 803z", "lastactivity" "2023 03 22t13 31 46 803z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t13 32 31 5433333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma96ff3de0 c946 4e9c 8bc9 d5dcda090757", "provideralertid" "96ff3de0 c946 4e9c 8bc9 d5dcda090757", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t13 32 34 8306108z", "lastupdatedtime" "2023 04 07t20 56 50 25z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t13 31 46 803z", "lastactivity" "2023 03 22t13 31 46 803z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t13 32 34 8966667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "mab4914612 aaa1 4feb 8608 b96281a5550b", "provideralertid" "b4914612 aaa1 4feb 8608 b96281a5550b", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t14 29 54 5438561z", "lastupdatedtime" "2023 04 07t20 56 41 8833333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t14 29 21 827z", "lastactivity" "2023 03 22t14 29 21 827z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t14 29 54 8866667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma9cb64156 3e57 49d2 ba48 cf7189d05cbe", "provideralertid" "9cb64156 3e57 49d2 ba48 cf7189d05cbe", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t14 29 57 578386z", "lastupdatedtime" "2023 04 07t20 56 50 51z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t14 29 21 827z", "lastactivity" "2023 03 22t14 29 21 827z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t14 29 57 6566667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma7fe184c2 2cb4 4502 8f75 f8204df8096a", "provideralertid" "7fe184c2 2cb4 4502 8f75 f8204df8096a", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t14 29 57 5833894z", "lastupdatedtime" "2023 04 07t20 56 47 56z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t14 29 21 827z", "lastactivity" "2023 03 22t14 29 21 827z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t14 29 59 63z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma88798873 7d49 40d3 b24b 4d266a39696d", "provideralertid" "88798873 7d49 40d3 b24b 4d266a39696d", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t15 18 00 1567486z", "lastupdatedtime" "2023 04 07t20 56 54 3966667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t15 10 30 531z", "lastactivity" "2023 03 22t15 10 30 531z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t15 18 00 39z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "maca8f5f0f 7996 4c6c a34e 0e86e4e5cbd7", "provideralertid" "ca8f5f0f 7996 4c6c a34e 0e86e4e5cbd7", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t15 18 11 2968698z", "lastupdatedtime" "2023 04 07t20 56 35 3266667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t15 10 30 531z", "lastactivity" "2023 03 22t15 10 30 531z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t15 18 11 3233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma3f6d1d0a 9fdb 4472 b8b1 126e136446ef", "provideralertid" "3f6d1d0a 9fdb 4472 b8b1 126e136446ef", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t15 18 16 4996046z", "lastupdatedtime" "2023 04 07t20 56 54 4166667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t15 10 30 531z", "lastactivity" "2023 03 22t15 10 30 531z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t15 18 16 6z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma5d303da5 619f 4f82 8c04 7ffb99f5e5f4", "provideralertid" "5d303da5 619f 4f82 8c04 7ffb99f5e5f4", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t16 38 22 9936625z", "lastupdatedtime" "2023 04 07t20 56 55 1333333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t16 37 37 067z", "lastactivity" "2023 03 22t16 37 37 067z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t16 38 25 1366667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "maeaa634bb 1a62 4bdd a1f2 0fdbee59a3f7", "provideralertid" "eaa634bb 1a62 4bdd a1f2 0fdbee59a3f7", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t16 38 25 9005321z", "lastupdatedtime" "2023 04 07t20 56 40 24z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t16 37 37 067z", "lastactivity" "2023 03 22t16 37 37 067z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t16 38 25 97z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "maa47ec5fa 4a79 4932 b528 fd2c41f0990a", "provideralertid" "a47ec5fa 4a79 4932 b528 fd2c41f0990a", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t16 38 35 1794576z", "lastupdatedtime" "2023 04 07t20 56 54 8z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t16 37 37 067z", "lastactivity" "2023 03 22t16 37 37 067z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t16 38 35 2766667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "maa960c06a 8629 45c1 a873 da7a881e608b", "provideralertid" "a960c06a 8629 45c1 a873 da7a881e608b", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t17 35 22 6803694z", "lastupdatedtime" "2023 04 07t20 56 37 86z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t17 33 24 391z", "lastactivity" "2023 03 22t17 33 24 391z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t17 35 22 9233333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma098c1965 328e 4808 800f 870c80315dbc", "provideralertid" "098c1965 328e 4808 800f 870c80315dbc", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t17 35 28 6504776z", "lastupdatedtime" "2023 04 07t20 56 47 1466667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t17 33 24 391z", "lastactivity" "2023 03 22t17 33 24 391z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t17 35 30 7966667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "maf5466372 a091 427c 83e6 c339e9748992", "provideralertid" "f5466372 a091 427c 83e6 c339e9748992", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t17 35 35 8533438z", "lastupdatedtime" "2023 04 07t20 56 39 9066667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t17 33 24 391z", "lastactivity" "2023 03 22t17 33 24 391z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t17 35 37 9633333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma144f53cc 98fe 4112 9b79 5c65e46ca341", "provideralertid" "144f53cc 98fe 4112 9b79 5c65e46ca341", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t18 20 21 6477514z", "lastupdatedtime" "2023 04 07t20 56 44 3433333z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t18 19 48 855z", "lastactivity" "2023 03 22t18 19 48 855z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t18 20 21 79z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "ma726f3676 c5bd 487d 8d9e 7d02fbd99178", "provideralertid" "726f3676 c5bd 487d 8d9e 7d02fbd99178", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t18 20 27 7157202z", "lastupdatedtime" "2023 04 07t20 56 54 3366667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t18 19 48 855z", "lastactivity" "2023 03 22t18 19 48 855z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t18 20 27 7966667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma4a69d160 ab3d 431a 84b0 22f5c4c55ba5", "provideralertid" "4a69d160 ab3d 431a 84b0 22f5c4c55ba5", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t18 20 30 5343106z", "lastupdatedtime" "2023 04 07t20 56 54 5166667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t18 19 48 855z", "lastactivity" "2023 03 22t18 19 48 855z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t18 20 30 63z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] }, { "alertid" "ma71c720e0 901c 4b84 829d cc65532b9071", "provideralertid" "71c720e0 901c 4b84 829d cc65532b9071", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t19 38 54 6941207z", "lastupdatedtime" "2023 04 07t20 56 37 89z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t19 38 19 52z", "lastactivity" "2023 03 22t19 38 19 52z", "title" "unused app", "description" "the cloud app (graph explorer) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=de8bc8b5 d9f9 48b1 a8ad b748da725064\\">graph explorer\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t19 38 54 8433333z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "de8bc8b5 d9f9 48b1 a8ad b748da725064", "applicationname" "graph explorer" } ] }, { "alertid" "ma2093b8ef 88c4 49c6 b157 0c46c46c2f17", "provideralertid" "2093b8ef 88c4 49c6 b157 0c46c46c2f17", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t19 38 57 1705342z", "lastupdatedtime" "2023 04 07t20 56 59 5z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t19 38 19 52z", "lastactivity" "2023 03 22t19 38 19 52z", "title" "unused app", "description" "the cloud app (sw defenderatp app) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=f68bf793 b048 472e affa 123916145a32\\">sw defenderatp app\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t19 38 57 2066667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "f68bf793 b048 472e affa 123916145a32", "applicationname" "sw defenderatp app" } ] }, { "alertid" "mae69ec3be 9f03 445b a1a1 792699b46f61", "provideralertid" "e69ec3be 9f03 445b a1a1 792699b46f61", "incidentid" 38, "servicesource" "microsoftapplicationprotection", "creationtime" "2023 03 22t19 39 09 6907893z", "lastupdatedtime" "2023 04 07t20 56 47 1466667z", "resolvedtime" "2023 04 07t01 24 26 9166667z", "firstactivity" "2023 03 22t19 38 19 519z", "lastactivity" "2023 03 22t19 38 19 519z", "title" "unused app", "description" "the cloud app (sharepoint app registration) hasn't signed in within the last 30 days attackers can utilize unused apps to covertly obtain authentication tokens and expand access to the network \r\n\<a href=\\"https //security microsoft com//app?oauthappid=c6774a09 55a7 4a7f b89f 87f2ba93c3d6\\">sharepoint app registration\</a>", "category" "suspiciousactivity", "status" "resolved", "severity" "medium", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" "truepositive", "determination" null, "detectionsource" "appgpolicy", "detectorid" "af386276 e080 4ea5 9ac0 04027f4bf0b5", "assignedto" "microsoft (to remove duplicates)", "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "oauthapplication", "evidencecreationtime" "2023 03 22t19 39 09 7266667z", "verdict" "suspicious", "remediationstatus" "none", "applicationid" "c6774a09 55a7 4a7f b89f 87f2ba93c3d6", "applicationname" "sharepoint app registration" } ] } ] }, { "incidentid" 383, "incidenturi" "https //security microsoft com/incidents/383?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "tenant allow/block list entry is about to expire", "createdtime" "2023 03 27t14 05 30 3633333z", "lastupdatetime" "2023 03 27t14 05 30 4733333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "fa0dbb0164 9fc7 c237 4200 08db2ecbf95e", "provideralertid" "0dbb0164 9fc7 c237 4200 08db2ecbf95e", "incidentid" 383, "servicesource" "microsoftdefenderforoffice365", "creationtime" "2023 03 27t14 05 27 9636062z", "lastupdatedtime" "2023 03 27t14 05 30 3866667z", "resolvedtime" null, "firstactivity" "2023 03 27t14 02 39z", "lastactivity" "2023 03 27t14 02 39z", "title" "tenant allow/block list entry is about to expire", "description" "a tenant allow/block list entry will be removed due to expiration v1 0 0 0", "category" "initialaccess", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "queued", "classification" null, "determination" null, "detectionsource" "officeatp", "detectorid" "d063f1c3 572d 40ea a32c f339cab57a33", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "mailbox", "evidencecreationtime" "2023 03 27t14 05 28 15z", "verdict" "suspicious", "remediationstatus" "none", "userprincipalname" "securitycomplianceevent", "mailboxaddress" "securitycomplianceevent" } ] } ] }, { "incidentid" 382, "incidenturi" "https //security microsoft com/incidents/382?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "tenant allow/block list entry is about to expire", "createdtime" "2023 03 27t00 12 37 61z", "lastupdatetime" "2023 03 27t00 12 37 7233333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "fa0dbb0164 9fc7 c237 c200 08db2e57beba", "provideralertid" "0dbb0164 9fc7 c237 c200 08db2e57beba", "incidentid" 382, "servicesource" "microsoftdefenderforoffice365", "creationtime" "2023 03 27t00 12 37 2788951z", "lastupdatedtime" "2023 03 27t00 12 38 5266667z", "resolvedtime" null, "firstactivity" "2023 03 27t00 10 00z", "lastactivity" "2023 03 27t00 11 00z", "title" "tenant allow/block list entry is about to expire", "description" "a tenant allow/block list entry will be removed due to expiration v1 0 0 0", "category" "initialaccess", "status" "new", "severity" "informational", "investigationid" null, "investigationstate" "queued", "classification" null, "determination" null, "detectionsource" "officeatp", "detectorid" "d063f1c3 572d 40ea a32c f339cab57a33", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[], "devices" \[], "entities" \[ { "entitytype" "mailbox", "evidencecreationtime" "2023 03 27t00 12 38 49z", "verdict" "suspicious", "remediationstatus" "none", "userprincipalname" "securitycomplianceevent", "mailboxaddress" "securitycomplianceevent" } ] } ] }, { "incidentid" 378, "incidenturi" "https //security microsoft com/incidents/378?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t21 25 42 42z", "lastupdatetime" "2023 03 24t21 28 56 6733333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 379, "incidenturi" "https //security microsoft com/incidents/379?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t21 25 45 05z", "lastupdatetime" "2023 03 24t21 28 56 6733333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 380, "incidenturi" "https //security microsoft com/incidents/380?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t21 25 54 42z", "lastupdatetime" "2023 03 24t21 28 56 6733333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 381, "incidenturi" "https //security microsoft com/incidents/381?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t21 26 00 9866667z", "lastupdatetime" "2023 03 24t21 28 56 6733333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 375, "incidenturi" "https //security microsoft com/incidents/375?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t20 28 21 99z", "lastupdatetime" "2023 03 24t20 33 35 7366667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 376, "incidenturi" "https //security microsoft com/incidents/376?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t20 28 23 1933333z", "lastupdatetime" "2023 03 24t20 33 35 7366667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 377, "incidenturi" "https //security microsoft com/incidents/377?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t20 28 30 17z", "lastupdatetime" "2023 03 24t20 33 35 7366667z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 374, "incidenturi" "https //security microsoft com/incidents/374?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t20 28 21 7166667z", "lastupdatetime" "2023 03 24t20 31 30 9433333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 370, "incidenturi" "https //security microsoft com/incidents/370?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t19 20 08 2766667z", "lastupdatetime" "2023 03 24t19 23 38 0233333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 371, "incidenturi" "https //security microsoft com/incidents/371?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t19 20 19 75z", "lastupdatetime" "2023 03 24t19 23 38 0233333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 372, "incidenturi" "https //security microsoft com/incidents/372?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t19 20 26 8233333z", "lastupdatetime" "2023 03 24t19 23 38 0233333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 373, "incidenturi" "https //security microsoft com/incidents/373?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t19 20 40 1133333z", "lastupdatetime" "2023 03 24t19 23 38 0233333z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 366, "incidenturi" "https //security microsoft com/incidents/366?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t18 25 34 9633333z", "lastupdatetime" "2023 03 24t18 28 52 97z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 367, "incidenturi" "https //security microsoft com/incidents/367?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t18 25 51 03z", "lastupdatetime" "2023 03 24t18 28 52 97z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 368, "incidenturi" "https //security microsoft com/incidents/368?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t18 25 58 8366667z", "lastupdatetime" "2023 03 24t18 28 52 97z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 369, "incidenturi" "https //security microsoft com/incidents/369?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t18 26 01 0733333z", "lastupdatetime" "2023 03 24t18 28 52 97z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 362, "incidenturi" "https //security microsoft com/incidents/362?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t17 25 34 1366667z", "lastupdatetime" "2023 03 24t17 29 41 99z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 363, "incidenturi" "https //security microsoft com/incidents/363?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t17 25 47 3066667z", "lastupdatetime" "2023 03 24t17 29 41 99z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 364, "incidenturi" "https //security microsoft com/incidents/364?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t17 25 48 7933333z", "lastupdatetime" "2023 03 24t17 29 41 99z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 365, "incidenturi" "https //security microsoft com/incidents/365?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t17 26 00 44z", "lastupdatetime" "2023 03 24t17 29 41 99z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 360, "incidenturi" "https //security microsoft com/incidents/360?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t16 31 49 63z", "lastupdatetime" "2023 03 24t16 35 56 95z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 361, "incidenturi" "https //security microsoft com/incidents/361?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t16 32 07 91z", "lastupdatetime" "2023 03 24t16 35 56 95z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 358, "incidenturi" "https //security microsoft com/incidents/358?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t16 31 24 7733333z", "lastupdatetime" "2023 03 24t16 33 45 46z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 359, "incidenturi" "https //security microsoft com/incidents/359?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t16 31 31 0933333z", "lastupdatetime" "2023 03 24t16 33 45 46z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 354, "incidenturi" "https //security microsoft com/incidents/354?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t15 10 35 15z", "lastupdatetime" "2023 03 24t15 24 51 04z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 355, "incidenturi" "https //security microsoft com/incidents/355?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t15 10 42 5033333z", "lastupdatetime" "2023 03 24t15 24 51 04z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 356, "incidenturi" "https //security microsoft com/incidents/356?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t15 10 50 24z", "lastupdatetime" "2023 03 24t15 24 51 04z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 357, "incidenturi" "https //security microsoft com/incidents/357?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t15 11 02 1333333z", "lastupdatetime" "2023 03 24t15 24 51 04z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 350, "incidenturi" "https //security microsoft com/incidents/350?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t14 32 12 1933333z", "lastupdatetime" "2023 03 24t14 37 25 85z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 351, "incidenturi" "https //security microsoft com/incidents/351?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t14 32 22 6966667z", "lastupdatetime" "2023 03 24t14 37 25 85z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 352, "incidenturi" "https //security microsoft com/incidents/352?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t14 32 27 4933333z", "lastupdatetime" "2023 03 24t14 37 25 85z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 353, "incidenturi" "https //security microsoft com/incidents/353?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t14 32 33 5633333z", "lastupdatetime" "2023 03 24t14 37 25 85z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 346, "incidenturi" "https //security microsoft com/incidents/346?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t13 17 03 0533333z", "lastupdatetime" "2023 03 24t13 20 17 83z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 347, "incidenturi" "https //security microsoft com/incidents/347?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t13 17 14 9033333z", "lastupdatetime" "2023 03 24t13 20 17 83z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] }, { "incidentid" 348, "incidenturi" "https //security microsoft com/incidents/348?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" 38, "incidentname" "unused app", "createdtime" "2023 03 24t13 17 19 0966667z", "lastupdatetime" "2023 03 24t13 20 17 83z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "redirected", "severity" "medium", "tags" \[], "comments" \[], "alerts" \[] } ], "@odata nextlink" "https //api security microsoft com/api/incidents/?$skip=100" } ] output parameters @odata context (string) value (array) incidentid (number) incidenturi (string) redirectincidentid (number) incidentname (string) createdtime (string) lastupdatetime (string) assignedto (object) classification (string) determination (string) status (string) severity (string) tags (array) file name (string) – required file (string) – required comments (array) file name (string) – required file (string) – required alerts (array) file name (string) – required file (string) – required @odata nextlink (string)