Sample alert for Microsoft Sentinel
Snapshot of the entity when an event occurs in Microsoft Sentinel.
The sample alert becomes available after you generate the webhook.
{
"$id": "1",
"Version": "3.0",
"VendorName": "Microsoft",
"ProviderName": "ASI Scheduled Alerts",
"ProductName": "Azure Sentinel",
"ProductComponentName": "Scheduled Alerts",
"AlertType": "4dc663f5-b613-4518-8a17-a56a17b31899_6d77d754-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"StartTimeUtc": "2022-04-06T04:26:44.572Z",
"EndTimeUtc": "2022-04-06T04:27:06.73Z",
"TimeGenerated": "2022-04-06T05:30:20.6891354Z",
"ProcessingEndTime": "2022-04-06T05:30:20.6891325Z",
"Status": "New",
"Severity": "Informational",
"IsIncident": false,
"ProviderAlertId": "ea8b0bd6-c205-xxxx-xxxx-xxxxxxxxxxxx",
"SystemAlertId": "77dfe82c-7d04-xxxx-xxxx-xxxxxxxxxxxx",
"CorrelationKey": null,
"Intent": "Unknown",
"ResourceIdentifiers": [
{
"$id": "2",
"WorkspaceId": "4dc663f5-b613-xxxx-xxxx-xxxxxxxxxxxx",
"WorkspaceSubscriptionId": "70b49f2f-13aa-xxxx-xxxx-xxxxxxxxxxxx",
"WorkspaceResourceGroup": "itxlab",
"Type": "LogAnalytics"
}
],
"WorkspaceId": "4dc663f5-b613-xxxx-xxxx-xxxxxxxxxxxx",
"WorkspaceSubscriptionId": "70b49f2f-13aa-xxxx-xxxx-xxxxxxxxxxxx",
"WorkspaceResourceGroup": "itxlab",
"AlertDisplayName": "Alert Details from AzureActivity",
"Description": "Alert Details from AzureActivity Desc",
"ExtendedProperties": {
"Query Period": "01:00:00",
"Trigger Operator": "GreaterThan",
"Trigger Threshold": "0",
"Correlation Id": "4dc663f5-b613--xxxx-xxxx-xxxxxxxxxxxx_6d77d754-7073--xxxx-xxxx-xxxxxxxxxxxx_63784819817838xxxx",
"Search Query Results Overall Count": "50",
"Data Sources": "[\"itxlabwentinelworkspace\"]",
"Query": "// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert.\nset query_now = datetime(2022-04-06T05:25:17.8383213Z);\n AzureActivity \n| limit 50",
"Query Start Time UTC": "2022-04-06 04:25:17Z",
"Query End Time UTC": "2022-04-06 05:25:17Z",
"Analytic Rule Ids": "[\"6d77d754-7073-494a-xxxx-xxxx-xxxxxxxxxxxx\"]",
"Event Grouping": "SingleAlert",
"Analytic Rule Name": "Azure Activity Rule",
"ProcessedBySentinel": "True",
"Alert generation status": "Full alert created"
},
"Metadata": {
"WorkspaceRegion": "eastus",
"SourceTags.SourceEnv": "PROD",
"TriggeringRuleNames": "[\"6d77d754-7073-494a-xxxx-xxxx-xxxxxxxxxxxx\"]",
"SentinelWorkspaceRegion": "eastus",
"SentinelWorkspaceGeography": "unitedstates"
},
"Entities": [
{
"$id": "3",
"Address": "199.91.xxx.xx",
"Type": "ip"
},
{
"$id": "4",
"Address": "149.96.x.xx",
"Type": "ip"
}
]
}
For Office 365 Advanced Threat Protection, the sample payload will be as
follows:
{
"eventUniqueId": "e4affc82-a321-4262-8cd6-a36447f1c39e",
"objectSchemaType": "Incident",
"objectEventType": "Create",
"workspaceInfo": {
"SubscriptionId": "8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx",
"ResourceGroupName": "rg-azure-sentinel",
"WorkspaceName": "xxx-azure-sentinel"
},
"workspaceId": "7daaf750-c15a-4684-xxxx-xxxxxxxxxxxx",
"object": {
"id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Incidents/2e58c755-b4c8-4a24-8231-e86a1e46d343",
"name": "2e58c755-b4c8-4a24-8231-e86a1e46d343",
"etag": "\"ba00b698-0000-0d00-0000-627b9eb60000\"",
"type": "Microsoft.SecurityInsights/Incidents",
"properties": {
"title": "Email messages containing malicious URL removed after delivery",
"description": "Emails with malicious URL that were delivered and later removed -V1.0.0.3",
"severity": "Informational",
"status": "Active",
"owner": {
"objectId": null,
"email": null,
"assignedTo": null,
"userPrincipalName": null
},
"labels": [],
"firstActivityTimeUtc": "2022-05-11T11:17:04.4972846Z",
"lastActivityTimeUtc": "2022-05-11T11:17:04.4972846Z",
"lastModifiedTimeUtc": "2022-05-11T11:32:06.0149139Z",
"createdTimeUtc": "2022-05-11T11:32:05.7284391Z",
"incidentNumber": 2606,
"additionalData": {
"alertsCount": 1,
"bookmarksCount": 0,
"commentsCount": 0,
"alertProductNames": [
"Office 365 Advanced Threat Protection"
],
"tactics": [
"PreAttack"
],
"techniques": []
},
"relatedAnalyticRuleIds": [
"/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/alertRules/d6500e61-2f81-4333-9791-0c1ee7fe5bed"
],
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Incidents/2e58c755-b4c8-4a24-8231-e86a1e46d343",
"providerName": "Azure Sentinel",
"providerIncidentId": "2606",
"alerts": [
{
"id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Entities/",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "SecurityAlert",
"properties": {
"systemAlertId": "0c9ac226-84ed-0bbd-19d7-e4848440b558",
"confidenceScore": 1,
"tactics": [
"PreAttack"
],
"alertDisplayName": "Email messages containing malicious URL removed after delivery",
"description": "Emails with malicious URL that were delivered and later removed -V1.0.0.3",
"confidenceLevel": "Unknown",
"severity": "Informational",
"vendorName": "Microsoft",
"productName": "Office 365 Advanced Threat Protection",
"alertType": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88",
"processingEndTime": "2022-05-11T11:25:25.519505Z",
"status": "InProgress",
"endTimeUtc": "2022-05-11T11:17:04.4972846Z",
"startTimeUtc": "2022-05-11T11:17:04.4972846Z",
"timeGenerated": "2022-05-11T11:25:25Z",
"providerAlertId": "a7282af8-bd94-4a06-xxxx-xxxxxxxxxxxx",
"alertLink": "https://protection.office.com/viewalerts?id=a7282af8-bd94-4a06-xxxx-xxxxxxxxxxxx",
"resourceIdentifiers": [
{
"type": "LogAnalytics",
"workspaceId": "7daaf750-c15a-4684-xxxx-xxxxxxxxxxxx"
}
],
"additionalData": {
"InvestigationName": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:42ac6f0bbff28fexxxxxxxxxxxxxxxx",
"Status": "Investigation Started",
"ProcessedBySentinel": "True",
"Alert generation status": "Full alert created"
},
"friendlyName": "Email messages containing malicious URL removed after delivery"
}
}
],
"bookmarks": [],
"relatedEntities": [
{
"id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Entities/",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "Mailbox",
"properties": {
"mailboxPrimaryAddress": "abc.mustermann@xxx.com",
"upn": "abc.mustermann@xxx.com",
"additionalData": {
"Urn": "urn:UserEntity:05ccd0bcf4ca2078976dxxxxxxxxxxxxxx",
"Source": "OATP",
"FirstSeen": "0001-01-01T00:00:00"
},
"friendlyName": "abc.mustermann@xxx.com"
}
},
{
"id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Entities/",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "MailMessage",
"properties": {
"fileEntityIds": [],
"recipient": "abc.mustermann@xxx.com",
"urls": [
"https://wetransfer.com/?utm_c...",
"https://wetransfer.com/?utm...",
"https://wetransfer.com/pro...",
"https://wetransfer.com/abou...",
"https://wetransfer.com/leg...",
"https://wetransfer.zend...",
"https://wetransfer.zendes...",
"https://wetransfer.zendes...",
"https://webmail.belgium-me...",
"http://smile-netshop.com..."
],
"p1Sender": "support@contoso.com",
"p1SenderDomain": "contoso.com",
"senderIP": "35.157.190.234",
"p2Sender": "support@contoso.com",
"p2SenderDisplayName": "Wetransfer",
"p2SenderDomain": "contoso.com",
"receiveDate": "2022-05-11T11:05:44",
"networkMessageId": "e65b1914-7e6c-4088-xxxx-xxxxxxxxxxxx",
"internetMessageId": "<8a8e3c708be8434846451e23xxxxxxx@contoso.com>",
"subject": "Document .pdf sent successfully to abc.mustermann@xxx.com",
"antispamDirection": "Inbound",
"deliveryAction": "DeliveredAsSpam",
"language": "en",
"threatDetectionMethods": [
"MLModel"
],
"additionalData": {
"OriginalDeliveryLocation": "JunkFolder",
"AdditionalActionsAndResults": "[\"OriginalDelivery: [N/A]\"]",
"AuthDetails": "[{\"Name\":\"SPF\",\"Value\":\"None\"},{\"Name\":\"DKIM\",\"Value\":\"None\"},{\"Name\":\"DMARC\",\"Value\":\"None\"},{\"Name\":\"Comp Auth\",\"Value\":\"none\"}]",
"SystemOverrides": "[]",
"Urn": "urn:MailEntity:db2af87d14724ea5b712xxxxxxxxxxx",
"Source": "OATP",
"FirstSeen": "0001-01-01T00:00:00"
},
"friendlyName": "e65b1914-7e6c-4088-xxxx-xxxxxxxxxxxx"
}
},
{
"id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Entities/",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "Url",
"properties": {
"url": "http://smile-netshop.com/wet/wetranfers.html#abc.mustermann@xxx.com",
"additionalData": {
"ClickCount": 0,
"EmailCount": 1,
"Urn": "urn:UrlEntity:6a8490467f66f12c26xxxxxxxxxxxxxxxx",
"Source": "OATP",
"FirstSeen": "0001-01-01T00:00:00"
},
"friendlyName": "http://smile-netshop.com/wet/wetranfers.html#abc.mustermann@xxx.com"
}
}
],
"comments": []
}
}
}