Get Machine Related Alerts

description retrieve alerts from microsoft defender related to a specific machine by providing the machine's unique id endpoint url /api/machines/{{id}}/alerts method get inputs path parameters (object) – required id (string) – required output example \[ { "status code" 200, "response headers" { "date" "thu, 04 may 2023 17 55 47 gmt", "content type" "application/json; odata metadata=minimal; odata streaming=true; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "deflate", "vary" "accept encoding", "odata version" "4 0", "strict transport security" "max age=15724800; includesubdomains" }, "reason" "ok", "json body" { "@odata context" "https //api securitycenter microsoft com/api/$metadata#alerts", "value" \[ { "id" "ar638180599315648136 73827727", "incidentid" 400, "investigationid" 6, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "automatedinvestigation", "detectorid" "5c6b7d86 c91f 4f8c 8aec 9d2086f46527", "category" "suspiciousactivity", "threatfamilyname" null, "title" "automated investigation started manually", "description" "se pov user(pov\@swimlaneintegrations onmicrosoft com) initiated an automated investigation on se pov desktop \n the investigation automatically identifies and reviews threat artifacts for possible remediation ", "alertcreationtime" "2023 04 25t22 52 11 5648315z", "firsteventtime" "2023 04 25t22 52 11z", "lasteventtime" "2023 04 25t22 52 11z", "lastupdatetime" "2023 04 25t22 58 00 55z", "resolvedtime" "2023 04 25t22 58 00 4108067z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "ip", "evidencecreationtime" "2023 04 25t22 52 11 7733333z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" null } ], "domains" \[] }, { "id" "da0c7e089d 5ff6 4e04 8000 17f4e35fa783 1", "incidentid" 392, "investigationid" null, "assignedto" null, "severity" "informational", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "category" "malware", "threatfamilyname" "eicar test file", "title" "malware was detected in a zip archive file", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "alertcreationtime" "2023 04 19t13 42 13 1851332z", "firsteventtime" "2023 04 19t13 30 57 9123134z", "lasteventtime" "2023 04 19t13 30 57 9123134z", "lastupdatetime" "2023 04 19t13 42 14 3133333z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virus\ dos/eicar test file", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t13 42 13 3466667z", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da14ac5136 324c 4dd7 8e22 a880f7266da7 1", "incidentid" 392, "investigationid" 4, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "category" "malware", "threatfamilyname" "eicar test file", "title" "'eicar test file' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t13 43 49 3882906z", "firsteventtime" "2023 04 19t13 30 57 913646z", "lasteventtime" "2023 04 19t13 30 57 913646z", "lastupdatetime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virus\ dos/eicar test file", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t13 43 49 46z", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "sha256" null, "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da163c9003 bc7d 4649 89e3 dfdf927da744 1", "incidentid" 407, "investigationid" null, "assignedto" null, "severity" "informational", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "category" "malware", "threatfamilyname" "eicar test file", "title" "malware was detected in a zip archive file", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "alertcreationtime" "2023 04 26t15 25 00 2604342z", "firsteventtime" "2023 04 26t15 05 59 1225425z", "lasteventtime" "2023 04 26t15 09 18 9067858z", "lastupdatetime" "2023 04 26t15 27 59 8566667z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virus\ dos/eicar test file", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 25 00 2866667z", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da17fbbe7a a8fc 497d 8f87 7de15a27c2df 1", "incidentid" 396, "investigationid" 5, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2015 0318", "title" "'cve 2015 0318' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t22 03 07 7939898z", "firsteventtime" "2023 04 19t22 01 16 2819441z", "lasteventtime" "2023 04 19t22 01 16 2819441z", "lastupdatetime" "2023 04 19t22 17 02 9966667z", "resolvedtime" "2023 04 19t22 17 02 7376611z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2015 0318!mtb", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t22 03 07 9966667z", "sha1" "0c928d246d947f8bb359f9ae186e4a9cef56469c", "sha256" "fae80e9142f46314a211047f2a047e37d09d053cf9063f3c4188d47f43f31e8d", "filename" "main swf", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 0318", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da1c42fa48 be2d 4820 9fb0 d39bde338a59 1", "incidentid" 393, "investigationid" 4, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "category" "malware", "threatfamilyname" "skeeyah", "title" "'skeeyah' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t17 48 49 1062764z", "firsteventtime" "2023 04 19t17 46 46 4770357z", "lasteventtime" "2023 04 19t17 46 46 4770357z", "lastupdatetime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "trojan\ win32/skeeyah a!bit", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t17 48 49 2933333z", "sha1" "0b884a0b72e389bb40e6efd88b3cf977d7410e45", "sha256" "cc9a1c9f982e04404567d73b6f0a19bfac43a63280c47f3fa94d64d24d1c544a", "filename" "msf swf", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 3113", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da36aabc3a 0496 4590 b652 a3b8dda1c7ef 1", "incidentid" 393, "investigationid" 4, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2014 0515", "title" "'cve 2014 0515' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t17 48 49 0574812z", "firsteventtime" "2023 04 19t17 46 46 4770008z", "lasteventtime" "2023 04 19t17 46 46 4770008z", "lastupdatetime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2014 0515", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t17 48 49 3066667z", "sha1" "7d5ed7cddd2cbe580a88b90a89695216ef25e346", "sha256" "3c131569aaec7e3b313c8f03305d8eb8ef9915bbfe819c6d4a9b4b02f3f163ef", "filename" "msf swf", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2014 0515", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da3e76d950 79f2 4050 b425 82fb969bc92a 1", "incidentid" 407, "investigationid" 12, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "category" "malware", "threatfamilyname" "eicar test file", "title" "'eicar test file' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 26t15 20 10 6946z", "firsteventtime" "2023 04 26t15 05 59 1225823z", "lasteventtime" "2023 04 26t15 09 18 9337128z", "lastupdatetime" "2023 04 26t15 35 48 86z", "resolvedtime" "2023 04 26t15 35 48 6958753z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virus\ dos/eicar test file", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 25 00 04z", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicar com txt", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 20 12 1566667z", "sha1" "d27265074c9eac2e2122ed69294dbc4d7cce9141", "sha256" null, "filename" "eicar com zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 20 11 75z", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "sha256" null, "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 20 10 8666667z", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" null, "filename" "eicar com", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 20 35 22z", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" null, "filename" "eicar com txt", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da45985c2a 5b72 44af acf2 28f061e72059 1", "incidentid" 393, "investigationid" 4, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "category" "malware", "threatfamilyname" "genmaldwn", "title" "'genmaldwn' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t17 48 49 1682795z", "firsteventtime" "2023 04 19t17 46 46 4770691z", "lasteventtime" "2023 04 19t17 46 46 4770691z", "lastupdatetime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "trojandownloader\ bat/genmaldwn k!bit", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t17 48 49 2933333z", "sha1" "919264563b8f04fd71127fa200bb7120c089acb6", "sha256" "2f8890164f092c36e0b2f7021a01b6051cf4fdfca637e7abae690a843d8cffbd", "filename" "postgres copy from program cmd exec md", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\documentation\\\modules\\\exploit\\\multi\\\postgres", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da59278d48 685b 44bf 912c 7040e009cd03 1", "incidentid" 404, "investigationid" 10, "assignedto" "api action", "severity" "medium", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "51d03c45 b142 4de4 95df 01b0c259d8f6", "category" "ransomware", "threatfamilyname" "cve", "title" "'cve' ransomware was detected", "description" "ransomware use common methods to encrypt files using keys that are known only to attackers as a result, victims are unable to access the contents of the encrypted files most ransomware display or drop a ransom note\u2014an image or an html file that contains information about how to obtain the attacker supplied decryption tool for a fee \u00a0\u00a0 \n\nto target documents or other files that contain user data, some ransomware look for files in certain locations and files with certain extension names it is also common for ransomware to rename encrypted files so that they all use the same extension name \u00a0 \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 26t00 47 55 268943z", "firsteventtime" "2023 04 26t00 44 40 7717353z", "lasteventtime" "2023 04 26t00 44 40 7717353z", "lastupdatetime" "2023 04 26t01 17 24 7233333z", "resolvedtime" "2023 04 26t01 17 24 3340349z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "ransom\ win32/cve", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 4466667z", "sha1" "3dd0cca8397a7863ac3113e20cb34e8e77e3c189", "sha256" "4bd6fc62a26c09c771ae664209f35767b5cfb8547694f3c54d83d97ccdbe3278", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da5a9d6588 c19d 4830 890b dc56ee38c0c7 1", "incidentid" 409, "investigationid" null, "assignedto" null, "severity" "medium", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "windowsdefenderav", "detectorid" "f37b8bc2 cfd2 4a8e ac62 24a7df1e698c", "category" "suspiciousactivity", "threatfamilyname" "meterpreter", "title" "meterpreter post exploitation tool", "description" "meterpreter, a post exploitation tool was detected on this device meterpreter is deployed using dll injection meterpreter was used in a wide range of documented attacks, including attacks involving state sponsored groups and groups associated with ransomware campaigns an attacker might be attempting to establish persistence, discover and steal credentials, or install and launch a payload in the device that might lead to further system compromise detections of meterpreter tools and activity should be thoroughly investigated ", "alertcreationtime" "2023 04 26t19 07 43 6797826z", "firsteventtime" "2023 04 26t18 56 29 42738z", "lasteventtime" "2023 04 26t19 01 01 5335947z", "lastupdatetime" "2023 04 26t19 09 51 96z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virtool\ java/meterpreter a", "mitretechniques" \[ "t1055 001" ], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 07 44 0133333z", "sha1" "3dd0cca8397a7863ac3113e20cb34e8e77e3c189", "sha256" "4bd6fc62a26c09c771ae664209f35767b5cfb8547694f3c54d83d97ccdbe3278", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da638181185158896141 667602127", "incidentid" 406, "investigationid" 12, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "customerti", "detectorid" "360fdb3b 18a9 471b 9ad0 ad80a4cbcb00", "category" "suspiciousactivity", "threatfamilyname" null, "title" "test2", "description" "test2", "alertcreationtime" "2023 04 26t15 08 35 8896313z", "firsteventtime" "2023 04 26t15 05 50 4145357z", "lasteventtime" "2023 04 26t15 08 15 3151687z", "lastupdatetime" "2023 04 26t15 35 48 86z", "resolvedtime" "2023 04 26t15 35 48 6958753z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" { "username" "chris phillips", "domainname" "se pov desktop" }, "loggedonusers" \[], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 36 46z", "sha1" null, "sha256" null, "filename" "unconfirmed 408530 crdownload", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 36 46z", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicar com txt", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 10 35 01z", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "filename" "eicar com", "filepath" "c \\\users\\\chris phillips\\\appdata\\\local\\\temp\\\temp1 eicar com zip", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 37 1466667z", "sha1" "3395856ce81f2b7382dee72602f798b642f14140", "sha256" null, "filename" "c \\\users\\\chris phillips\\\downloads", "filepath" "c \\\users\\\chris phillips", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" null }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 10 35 01z", "sha1" "3e3873d99586dd7d82c3d1f1495215383528d91d", "sha256" "95caa6b0b798ac401f463368415d1504951e09de21557d4106730223a4dd24c0", "filename" "explorer exe", "filepath" "c \\\windows", "processid" 4968, "processcommandline" "explorer exe", "processcreationtime" "2023 04 26t15 03 20 2885187z", "parentprocessid" 2088, "parentprocesscreationtime" "2023 04 26t15 03 19 1339605z", "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected" }, { "entitytype" "user", "evidencecreationtime" "2023 04 26t15 08 36 46z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" null }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 08 36 46z", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 5112, "processcommandline" "\\"msedge exe\\" no startup window win session start /prefetch 5", "processcreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessid" 4968, "parentprocesscreationtime" "2023 04 26t15 03 20 2885187z", "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected" }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 08 36 86z", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 10988, "processcommandline" "\\"msedge exe\\" type=utility utility sub type=quarantine mojom quarantine lang=en us service sandbox type=none mojo platform channel handle=3048 field trial handle=2124,i,17699120498490175102,12163351567194471964,131072 /prefetch 8", "processcreationtime" "2023 04 26t15 05 50 4046922z", "parentprocessid" 5112, "parentprocesscreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da638181185158896391 633475706", "incidentid" 406, "investigationid" 12, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "customerti", "detectorid" "360fdb3b 18a9 471b 9ad0 ad80a4cbcb00", "category" "suspiciousactivity", "threatfamilyname" null, "title" "test", "description" "test", "alertcreationtime" "2023 04 26t15 08 35 8761679z", "firsteventtime" "2023 04 26t15 05 47 8062393z", "lasteventtime" "2023 04 26t15 09 18 9337128z", "lastupdatetime" "2023 04 26t15 35 48 4666667z", "resolvedtime" "2023 04 26t15 33 39 8027026z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" { "username" "chris phillips", "domainname" "se pov desktop" }, "loggedonusers" \[], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 36 0666667z", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "sha256" "e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397", "filename" "eicarcom2 (1) zip", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 08 36 5566667z", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 1840, "processcommandline" "\\"msedge exe\\" type=utility utility sub type=quarantine mojom quarantine lang=en us service sandbox type=none mojo platform channel handle=5820 field trial handle=2124,i,17699120498490175102,12163351567194471964,131072 /prefetch 8", "processcreationtime" "2023 04 26t15 05 47 7956542z", "parentprocessid" 5112, "parentprocesscreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 37 1066667z", "sha1" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "sha256" null, "filename" "c \\\users\\\chris phillips\\\downloads", "filepath" "c \\\users\\\chris phillips", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" null }, { "entitytype" "user", "evidencecreationtime" "2023 04 26t15 08 36 0666667z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" null }, { "entitytype" "process", "evidencecreationtime" "2023 04 26t15 08 36 0666667z", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 5112, "processcommandline" "\\"msedge exe\\" no startup window win session start /prefetch 5", "processcreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessid" 4968, "parentprocesscreationtime" "2023 04 26t15 03 20 2885187z", "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t15 08 36 0666667z", "sha1" null, "sha256" null, "filename" "unconfirmed 500556 crdownload", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da7a7c9c2f 7d77 41d9 9d39 1b63b177b9dd 1", "incidentid" 402, "investigationid" 7, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "aicat", "title" "'aicat' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 25t23 28 56 6170228z", "firsteventtime" "2023 04 25t23 15 22 1010382z", "lasteventtime" "2023 04 25t23 15 22 1010382z", "lastupdatetime" "2023 04 25t23 36 18 13z", "resolvedtime" "2023 04 25t23 36 18 1157462z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ win32/aicat a!ml", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 25t23 28 56 8166667z", "sha1" "0b884a0b72e389bb40e6efd88b3cf977d7410e45", "sha256" "cc9a1c9f982e04404567d73b6f0a19bfac43a63280c47f3fa94d64d24d1c544a", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da86171505 000f 409f 8e29 86bbc2bf423e 1", "incidentid" 402, "investigationid" 8, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2014 0515", "title" "'cve 2014 0515' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 25t23 28 56 741128z", "firsteventtime" "2023 04 25t23 15 22 1010382z", "lasteventtime" "2023 04 25t23 15 22 1010382z", "lastupdatetime" "2023 04 25t23 36 08 7933333z", "resolvedtime" "2023 04 25t23 36 08 6865211z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2014 0515", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 25t23 28 56 8166667z", "sha1" "7d5ed7cddd2cbe580a88b90a89695216ef25e346", "sha256" "3c131569aaec7e3b313c8f03305d8eb8ef9915bbfe819c6d4a9b4b02f3f163ef", "filename" "49511ba5 691d 0155 986a aa43bb7c1426 1d973b113a34812", "filepath" "c \\\programdata\\\microsoft\\\windows defender\\\scans\\\filesstash", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "da8b8b92a2 15ba 4e8f aa9d cd511e631542 1", "incidentid" 403, "investigationid" 9, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2015 5122", "title" "'cve 2015 5122' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 25t23 50 54 7027655z", "firsteventtime" "2023 04 25t23 47 13 7141705z", "lasteventtime" "2023 04 25t23 47 13 7141705z", "lastupdatetime" "2023 04 25t23 58 53 4233333z", "resolvedtime" "2023 04 25t23 58 53 254072z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2015 5122", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 25t23 50 54 88z", "sha1" "bd14a982b5e6ed862330de93d958a18186cb8a83", "sha256" "056ad35a15e7c054e1e1ca3874cdf48ccc6cc35418f389b30b79dffcbfaaf4d9", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "daaee6e92d 64aa 478b aa9b 851c8890ef01 1", "incidentid" 411, "investigationid" null, "assignedto" null, "severity" "informational", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "customerti", "detectorid" "08dfd06f d2e2 4049 899f 67b406311d84", "category" "commandandcontrol", "threatfamilyname" null, "title" "connection to a custom network indicator", "description" "an endpoint has connected to a url or domain in your list of custom indicators ", "alertcreationtime" "2023 04 28t15 26 21 1558311z", "firsteventtime" "2023 04 28t15 22 12 6050889z", "lasteventtime" "2023 05 01t13 17 16 729907z", "lastupdatetime" "2023 05 01t13 23 23 1066667z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" { "username" "chris phillips", "domainname" "se pov desktop" }, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "url", "evidencecreationtime" "2023 04 28t15 26 21 4z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" "www google com", "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" null }, { "entitytype" "process", "evidencecreationtime" "2023 04 28t15 26 21 4z", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 9828, "processcommandline" "\\"msedge exe\\" no startup window /prefetch 5", "processcreationtime" "2023 04 26t15 08 10 5463209z", "parentprocessid" 5112, "parentprocesscreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessfilename" "msedge exe", "parentprocessfilepath" "\\\device\\\harddiskvolume2\\\program files (x86)\\\microsoft\\\edge\\\application", "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected" }, { "entitytype" "url", "evidencecreationtime" "2023 04 28t15 26 21 4z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" "https //www google com/", "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" null }, { "entitytype" "user", "evidencecreationtime" "2023 04 28t15 26 21 4z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" null } ], "domains" \[] }, { "id" "dac34692e9 5835 421c 8358 0393b3723ee8 1", "incidentid" 409, "investigationid" 13, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "shellcode", "title" "'shellcode' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 26t19 07 43 6314655z", "firsteventtime" "2023 04 26t18 56 29 4275403z", "lasteventtime" "2023 04 26t19 01 01 5342168z", "lastupdatetime" "2023 04 26t19 19 19 87z", "resolvedtime" "2023 04 26t19 19 19 6865725z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ html/shellcode g!msr", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 07 44 3z", "sha1" "4153d7617f1df3bacb98927f478fdda5f2a7003c", "sha256" "cc49aa4ad5482a95b3cef5e296951980aac74a9367bd4c6ae94dfae305dd4d75", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 08 24 6866667z", "sha1" "8cbdc799070926a38deccf5812c3ff65ecdd33be", "sha256" "df8d023ada34fa97fc679b0ce3cb4065940bbf5ec80d57504dc37f8d9bf84991", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 08 24 4166667z", "sha1" "e3f8095c01dff061ce3902fe9bc1b0e3877f258a", "sha256" "7a281bd63bc5b04e1ded5ff42808b59d530577b26f3453a1b208c3a0bcfcc458", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 08 24 8966667z", "sha1" "01340aa0f6efb9c1c67d22fe6f11f86613b02b6f", "sha256" "77dff28ef7ecb5e1a63cc48a0fd3b25be7278d23a3e2cca56a6487664f6108f3", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 08 24 29z", "sha1" "5b3e9b0a9d4d5de278e41caf0103f1e645cb956d", "sha256" "183808c5082c7738f0d01dbc299bb5e28a71e5d45e607aca6fe102a6f639a445", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t19 07 44 0133333z", "sha1" "8a0feaaa9d65588b2b9efdadf7b334a0f996032f", "sha256" "12784b3fe2e70ee17b20f0640c0bce26701e3f463884f86bb645e73ab8ab8124", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "dae2edae68 dac2 41da a066 46a2bfbd2187 1", "incidentid" 396, "investigationid" 5, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2015 5122", "title" "'cve 2015 5122' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t22 03 07 8698409z", "firsteventtime" "2023 04 19t22 01 16 2819781z", "lasteventtime" "2023 04 19t22 01 16 2819781z", "lastupdatetime" "2023 04 19t22 17 02 9966667z", "resolvedtime" "2023 04 19t22 17 02 7376611z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2015 5122", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 19t22 03 08 0633333z", "sha1" "bd14a982b5e6ed862330de93d958a18186cb8a83", "sha256" "056ad35a15e7c054e1e1ca3874cdf48ccc6cc35418f389b30b79dffcbfaaf4d9", "filename" "msf swf", "filepath" "c \\\metasploit framework\\\embedded\\\framework\\\data\\\exploits\\\cve 2015 5122", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "dae7ea088f df7c 4fd3 bc22 ace8b97ca26f 1", "incidentid" 404, "investigationid" 10, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "shellcode", "title" "'shellcode' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 26t00 47 55 3387677z", "firsteventtime" "2023 04 26t00 44 40 7715629z", "lasteventtime" "2023 04 26t00 44 40 7717086z", "lastupdatetime" "2023 04 26t01 17 24 7233333z", "resolvedtime" "2023 04 26t01 17 24 3340349z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ html/shellcode g!msr", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 4666667z", "sha1" "4153d7617f1df3bacb98927f478fdda5f2a7003c", "sha256" "cc49aa4ad5482a95b3cef5e296951980aac74a9367bd4c6ae94dfae305dd4d75", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 9066667z", "sha1" "8cbdc799070926a38deccf5812c3ff65ecdd33be", "sha256" "df8d023ada34fa97fc679b0ce3cb4065940bbf5ec80d57504dc37f8d9bf84991", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 8z", "sha1" "e3f8095c01dff061ce3902fe9bc1b0e3877f258a", "sha256" "7a281bd63bc5b04e1ded5ff42808b59d530577b26f3453a1b208c3a0bcfcc458", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 88z", "sha1" "01340aa0f6efb9c1c67d22fe6f11f86613b02b6f", "sha256" "77dff28ef7ecb5e1a63cc48a0fd3b25be7278d23a3e2cca56a6487664f6108f3", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2023 04 26t00 47 55 67z", "sha1" "8a0feaaa9d65588b2b9efdadf7b334a0f996032f", "sha256" "12784b3fe2e70ee17b20f0640c0bce26701e3f463884f86bb645e73ab8ab8124", "filename" "metasploitframework latest msi", "filepath" "c \\\users\\\chris phillips\\\downloads", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ], "domains" \[] }, { "id" "dafc3894c7 9ed6 4d21 b990 7b858617fd8a 1", "incidentid" 412, "investigationid" null, "assignedto" null, "severity" "informational", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "customerti", "detectorid" "08dfd06f d2e2 4049 899f 67b406311d84", "category" "commandandcontrol", "threatfamilyname" null, "title" "connection to a custom network indicator", "description" "an endpoint has connected to a url or domain in your list of custom indicators ", "alertcreationtime" "2023 05 01t19 18 27 6846556z", "firsteventtime" "2023 05 01t19 15 14 1182628z", "lasteventtime" "2023 05 01t19 15 14 1182628z", "lastupdatetime" "2023 05 01t19 18 30 2733333z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" { "username" "chris phillips", "domainname" "se pov desktop" }, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "process", "evidencecreationtime" "2023 05 01t19 18 28 51z", "sha1" "8031c7351854c0bde1ad92ccc4d692ae7760a61d", "sha256" "df288ae318eadac6005fd8f73a61b87d234a5f8ff4e3553843e956b680879659", "filename" "msedge exe", "filepath" "c \\\program files (x86)\\\microsoft\\\edge\\\application", "processid" 9828, "processcommandline" "\\"msedge exe\\" no startup window /prefetch 5", "processcreationtime" "2023 04 26t15 08 10 5463209z", "parentprocessid" 5112, "parentprocesscreationtime" "2023 04 26t15 03 46 0480713z", "parentprocessfilename" "msedge exe", "parentprocessfilepath" "\\\device\\\harddiskvolume2\\\program files (x86)\\\microsoft\\\edge\\\application", "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" "detected" }, { "entitytype" "user", "evidencecreationtime" "2023 05 01t19 18 28 51z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" "chris phillips", "domainname" "se pov desktop", "usersid" "s 1 5 21 194594600 1176474489 2137218832 1001", "aaduserid" null, "userprincipalname" "chris phillips\@tritonamps com", "detectionstatus" null }, { "entitytype" "url", "evidencecreationtime" "2023 05 01t19 18 28 51z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" "https //www facebook com/tr", "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" null }, { "entitytype" "url", "evidencecreationtime" "2023 05 01t19 18 28 51z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" "www facebook com", "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" null } ], "domains" \[] } ] } } ] output parameters status code (number) reason (string) json body (object) @odata context (string) value (array) id (string) incidentid (number) investigationid (object) assignedto (object) severity (string) status (string) classification (object) determination (object) investigationstate (string) detectionsource (string) detectorid (string) category (string) threatfamilyname (object) title (string) description (string) alertcreationtime (string) firsteventtime (string) lasteventtime (string) lastupdatetime (string) resolvedtime (object) machineid (string) computerdnsname (string) rbacgroupname (object) aadtenantid (string) threatname (object) mitretechniques (array) file name (string) – required file (string) – required relateduser (object) username (string) domainname (string) loggedonusers (array) accountname (string) domainname (string) comments (array) file name (string) – required file (string) – required evidence (array) entitytype (string) evidencecreationtime (string) sha1 (object) sha256 (object) filename (object) filepath (object) processid (object) processcommandline (object) processcreationtime (object) parentprocessid (object) parentprocesscreationtime (object) parentprocessfilename (object) parentprocessfilepath (object) ipaddress (object) url (string) registrykey (object) registryhive (object) registryvaluetype (object) registryvalue (object) registryvaluename (object) accountname (object) domainname (object) usersid (object) aaduserid (object) userprincipalname (object) detectionstatus (object) domains (array) file name (string) – required file (string) – required response headers header type date string content type string transfer encoding string connection string content encoding string vary string odata version string strict transport security string