Sample alert for Microsoft Sentinel

Snapshot of the entity when an event occurs in Microsoft Sentinel.

The sample alert becomes available after you generate the webhook.

{
    "$id": "1",
    "Version": "3.0",
    "VendorName": "Microsoft",
    "ProviderName": "ASI Scheduled Alerts",
    "ProductName": "Azure Sentinel",
    "ProductComponentName": "Scheduled Alerts",
    "AlertType": "4dc663f5-b613-4518-8a17-a56a17b31899_6d77d754-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "StartTimeUtc": "2022-04-06T04:26:44.572Z",
    "EndTimeUtc": "2022-04-06T04:27:06.73Z",
    "TimeGenerated": "2022-04-06T05:30:20.6891354Z",
    "ProcessingEndTime": "2022-04-06T05:30:20.6891325Z",
    "Status": "New",
    "Severity": "Informational",
    "IsIncident": false,
    "ProviderAlertId": "ea8b0bd6-c205-xxxx-xxxx-xxxxxxxxxxxx",
    "SystemAlertId": "77dfe82c-7d04-xxxx-xxxx-xxxxxxxxxxxx",
    "CorrelationKey": null,
    "Intent": "Unknown",
    "ResourceIdentifiers": [
        {
            "$id": "2",
            "WorkspaceId": "4dc663f5-b613-xxxx-xxxx-xxxxxxxxxxxx",
            "WorkspaceSubscriptionId": "70b49f2f-13aa-xxxx-xxxx-xxxxxxxxxxxx",
            "WorkspaceResourceGroup": "itxlab",
            "Type": "LogAnalytics"
        }
    ],
    "WorkspaceId": "4dc663f5-b613-xxxx-xxxx-xxxxxxxxxxxx",
    "WorkspaceSubscriptionId": "70b49f2f-13aa-xxxx-xxxx-xxxxxxxxxxxx",
    "WorkspaceResourceGroup": "itxlab",
    "AlertDisplayName": "Alert Details from AzureActivity",
    "Description": "Alert Details from AzureActivity Desc",
    "ExtendedProperties": {
        "Query Period": "01:00:00",
        "Trigger Operator": "GreaterThan",
        "Trigger Threshold": "0",
        "Correlation Id": "4dc663f5-b613--xxxx-xxxx-xxxxxxxxxxxx_6d77d754-7073--xxxx-xxxx-xxxxxxxxxxxx_63784819817838xxxx",
        "Search Query Results Overall Count": "50",
        "Data Sources": "[\"itxlabwentinelworkspace\"]",
        "Query": "// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert.\nset query_now = datetime(2022-04-06T05:25:17.8383213Z);\n AzureActivity  \n| limit 50",
        "Query Start Time UTC": "2022-04-06 04:25:17Z",
        "Query End Time UTC": "2022-04-06 05:25:17Z",
        "Analytic Rule Ids": "[\"6d77d754-7073-494a-xxxx-xxxx-xxxxxxxxxxxx\"]",
        "Event Grouping": "SingleAlert",
        "Analytic Rule Name": "Azure Activity Rule",
        "ProcessedBySentinel": "True",
        "Alert generation status": "Full alert created"
    },
    "Metadata": {
        "WorkspaceRegion": "eastus",
        "SourceTags.SourceEnv": "PROD",
        "TriggeringRuleNames": "[\"6d77d754-7073-494a-xxxx-xxxx-xxxxxxxxxxxx\"]",
        "SentinelWorkspaceRegion": "eastus",
        "SentinelWorkspaceGeography": "unitedstates"
    },
    "Entities": [
        {
            "$id": "3",
            "Address": "199.91.xxx.xx",
            "Type": "ip"
        },
        {
            "$id": "4",
            "Address": "149.96.x.xx",
            "Type": "ip"
        }
    ]
}
For Office 365 Advanced Threat Protection, the sample payload will be as follows:
{
    "eventUniqueId": "e4affc82-a321-4262-8cd6-a36447f1c39e",
    "objectSchemaType": "Incident",
    "objectEventType": "Create",
    "workspaceInfo": {
        "SubscriptionId": "8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx",
        "ResourceGroupName": "rg-azure-sentinel",
        "WorkspaceName": "xxx-azure-sentinel"
    },
    "workspaceId": "7daaf750-c15a-4684-xxxx-xxxxxxxxxxxx",
    "object": {
        "id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Incidents/2e58c755-b4c8-4a24-8231-e86a1e46d343",
        "name": "2e58c755-b4c8-4a24-8231-e86a1e46d343",
        "etag": "\"ba00b698-0000-0d00-0000-627b9eb60000\"",
        "type": "Microsoft.SecurityInsights/Incidents",
        "properties": {
            "title": "Email messages containing malicious URL removed after delivery​",
            "description": "Emails with malicious URL that were delivered and later removed -V1.0.0.3",
            "severity": "Informational",
            "status": "Active",
            "owner": {
                "objectId": null,
                "email": null,
                "assignedTo": null,
                "userPrincipalName": null
            },
            "labels": [],
            "firstActivityTimeUtc": "2022-05-11T11:17:04.4972846Z",
            "lastActivityTimeUtc": "2022-05-11T11:17:04.4972846Z",
            "lastModifiedTimeUtc": "2022-05-11T11:32:06.0149139Z",
            "createdTimeUtc": "2022-05-11T11:32:05.7284391Z",
            "incidentNumber": 2606,
            "additionalData": {
                "alertsCount": 1,
                "bookmarksCount": 0,
                "commentsCount": 0,
                "alertProductNames": [
                    "Office 365 Advanced Threat Protection"
                ],
                "tactics": [
                    "PreAttack"
                ],
                "techniques": []
            },
            "relatedAnalyticRuleIds": [
                "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/alertRules/d6500e61-2f81-4333-9791-0c1ee7fe5bed"
            ],
            "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Incidents/2e58c755-b4c8-4a24-8231-e86a1e46d343",
            "providerName": "Azure Sentinel",
            "providerIncidentId": "2606",
            "alerts": [
                {
                    "id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Entities/",
                    "type": "Microsoft.SecurityInsights/Entities",
                    "kind": "SecurityAlert",
                    "properties": {
                        "systemAlertId": "0c9ac226-84ed-0bbd-19d7-e4848440b558",
                        "confidenceScore": 1,
                        "tactics": [
                            "PreAttack"
                        ],
                        "alertDisplayName": "Email messages containing malicious URL removed after delivery​",
                        "description": "Emails with malicious URL that were delivered and later removed -V1.0.0.3",
                        "confidenceLevel": "Unknown",
                        "severity": "Informational",
                        "vendorName": "Microsoft",
                        "productName": "Office 365 Advanced Threat Protection",
                        "alertType": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88",
                        "processingEndTime": "2022-05-11T11:25:25.519505Z",
                        "status": "InProgress",
                        "endTimeUtc": "2022-05-11T11:17:04.4972846Z",
                        "startTimeUtc": "2022-05-11T11:17:04.4972846Z",
                        "timeGenerated": "2022-05-11T11:25:25Z",
                        "providerAlertId": "a7282af8-bd94-4a06-xxxx-xxxxxxxxxxxx",
                        "alertLink": "https://protection.office.com/viewalerts?id=a7282af8-bd94-4a06-xxxx-xxxxxxxxxxxx",
                        "resourceIdentifiers": [
                            {
                                "type": "LogAnalytics",
                                "workspaceId": "7daaf750-c15a-4684-xxxx-xxxxxxxxxxxx"
                            }
                        ],
                        "additionalData": {
                            "InvestigationName": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:42ac6f0bbff28fexxxxxxxxxxxxxxxx",
                            "Status": "Investigation Started",
                            "ProcessedBySentinel": "True",
                            "Alert generation status": "Full alert created"
                        },
                        "friendlyName": "Email messages containing malicious URL removed after delivery​"
                    }
                }
            ],
            "bookmarks": [],
            "relatedEntities": [
                {
                    "id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Entities/",
                    "type": "Microsoft.SecurityInsights/Entities",
                    "kind": "Mailbox",
                    "properties": {
                        "mailboxPrimaryAddress": "abc.mustermann@xxx.com",
                        "upn": "abc.mustermann@xxx.com",
                        "additionalData": {
                            "Urn": "urn:UserEntity:05ccd0bcf4ca2078976dxxxxxxxxxxxxxx",
                            "Source": "OATP",
                            "FirstSeen": "0001-01-01T00:00:00"
                        },
                        "friendlyName": "abc.mustermann@xxx.com"
                    }
                },
                {
                    "id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Entities/",
                    "type": "Microsoft.SecurityInsights/Entities",
                    "kind": "MailMessage",
                    "properties": {
                        "fileEntityIds": [],
                        "recipient": "abc.mustermann@xxx.com",
                        "urls": [
                            "https://wetransfer.com/?utm_c...",
                            "https://wetransfer.com/?utm...",
                            "https://wetransfer.com/pro...",
                            "https://wetransfer.com/abou...",
                            "https://wetransfer.com/leg...",
                            "https://wetransfer.zend...",
                            "https://wetransfer.zendes...",
                            "https://wetransfer.zendes...",
                            "https://webmail.belgium-me...",
                            "http://smile-netshop.com..."
                        ],
                        "p1Sender": "support@contoso.com",
                        "p1SenderDomain": "contoso.com",
                        "senderIP": "35.157.190.234",
                        "p2Sender": "support@contoso.com",
                        "p2SenderDisplayName": "Wetransfer",
                        "p2SenderDomain": "contoso.com",
                        "receiveDate": "2022-05-11T11:05:44",
                        "networkMessageId": "e65b1914-7e6c-4088-xxxx-xxxxxxxxxxxx",
                        "internetMessageId": "<8a8e3c708be8434846451e23xxxxxxx@contoso.com>",
                        "subject": "Document .pdf sent successfully to abc.mustermann@xxx.com",
                        "antispamDirection": "Inbound",
                        "deliveryAction": "DeliveredAsSpam",
                        "language": "en",
                        "threatDetectionMethods": [
                            "MLModel"
                        ],
                        "additionalData": {
                            "OriginalDeliveryLocation": "JunkFolder",
                            "AdditionalActionsAndResults": "[\"OriginalDelivery: [N/A]\"]",
                            "AuthDetails": "[{\"Name\":\"SPF\",\"Value\":\"None\"},{\"Name\":\"DKIM\",\"Value\":\"None\"},{\"Name\":\"DMARC\",\"Value\":\"None\"},{\"Name\":\"Comp Auth\",\"Value\":\"none\"}]",
                            "SystemOverrides": "[]",
                            "Urn": "urn:MailEntity:db2af87d14724ea5b712xxxxxxxxxxx",
                            "Source": "OATP",
                            "FirstSeen": "0001-01-01T00:00:00"
                        },
                        "friendlyName": "e65b1914-7e6c-4088-xxxx-xxxxxxxxxxxx"
                    }
                },
                {
                    "id": "/subscriptions/8f93a6b8-61df-4704-xxxx-xxxxxxxxxxxx/resourceGroups/rg-azure-sentinel/providers/Microsoft.OperationalInsights/workspaces/xxx-azure-sentinel/providers/Microsoft.SecurityInsights/Entities/",
                    "type": "Microsoft.SecurityInsights/Entities",
                    "kind": "Url",
                    "properties": {
                        "url": "http://smile-netshop.com/wet/wetranfers.html#abc.mustermann@xxx.com",
                        "additionalData": {
                            "ClickCount": 0,
                            "EmailCount": 1,
                            "Urn": "urn:UrlEntity:6a8490467f66f12c26xxxxxxxxxxxxxxxx",
                            "Source": "OATP",
                            "FirstSeen": "0001-01-01T00:00:00"
                        },
                        "friendlyName": "http://smile-netshop.com/wet/wetranfers.html#abc.mustermann@xxx.com"
                    }
                }
            ],
            "comments": []
        }
    }
}