MSTICPy versions >= 1.5.0
This Notebook provides details and examples of how to connect to and query data from the Microsoft Defender Advanced Hunting API.
Note: This notebook reflects a partially-updated component and still uses the "MDATP" abbreviation to refer to the Microsoft 365 Defender and Microsoft Defender for Endpoint data services.
%pip install --upgrade msticpy
Authentication for the Microsoft Defender Advanced Hunting API is handled via an Azure AD application. Before you can authenticate you will need to register an application and provide it with the required permissions. MSTICpy supports Application Context authentication to the API. Detailed instructions on registering an application can be found here:
Once created you will require the following details:
These details can be found in the Azure Portal under Azure Active Directory > App Registrations.
Once collected the easiest way to manage these details is via msticpyconfig.yaml - simply add them to the file in the following format:
DataProviders:
MicrosoftDefender:
Args:
ClientId: "CLIENT ID"
ClientSecret:
KeyVault:
TenantId: "TENANT ID"
You can then initialize a data provider for Microsoft Defender and connect the provider.
Note: you can also provide these values to the connect function. See Microsoft Defender data provider
Note: If you want to access the Microsoft Defender for Endpoint APIs rather than the M365 Defender API (the latter is a subset of the former), please use "MDE" as the parameter to QueryProvider.
from msticpy.data.data_providers import QueryProvider
md_prov = QueryProvider('M365D')
md_prov.connect()
Connected.
{'token_type': 'Bearer', 'expires_in': '3599', 'ext_expires_in': '3599', 'expires_on': '1578009447', 'not_before': '1578005547', 'resource': 'https://api.securitycenter.windows.com', 'access_token': None}
Once connected the Microsoft Defender data connector functions in a similar manner to other data connectors. You can list queries:
md_prov.list_queries()
['MDATP.file_path', 'MDATP.host_alerts', 'MDATP.host_connections', 'MDATP.ip_alerts', 'MDATP.ip_connections', 'MDATP.list_alerts', 'MDATP.list_connections', 'MDATP.list_filehash', 'MDATP.list_files', 'MDATP.list_host_processes', 'MDATP.process_cmd_line', 'MDATP.process_creations', 'MDATP.process_paths', 'MDATP.protocol_connections', 'MDATP.sha1_alerts', 'MDATP.url_alerts', 'MDATP.url_connections', 'MDATP.user_files', 'MDATP.user_logons', 'MDATP.user_network', 'MDATP.user_processes', 'MDATPHunting.accessibility_persistence', 'MDATPHunting.av_sites', 'MDATPHunting.b64_pe', 'MDATPHunting.brute_force', 'MDATPHunting.cve_2018_1000006l', 'MDATPHunting.cve_2018_1111', 'MDATPHunting.cve_2018_4878', 'MDATPHunting.doc_with_link', 'MDATPHunting.dropbox_link', 'MDATPHunting.email_link', 'MDATPHunting.email_smartscreen', 'MDATPHunting.malware_recycle', 'MDATPHunting.network_scans', 'MDATPHunting.powershell_downloads', 'MDATPHunting.service_account_powershell', 'MDATPHunting.smartscreen_ignored', 'MDATPHunting.smb_discovery', 'MDATPHunting.tor', 'MDATPHunting.uncommon_powershell', 'MDATPHunting.user_enumeration']
Get details about avaliable queries:
md_prov.MDATP.list_alerts('?')
Query: list_connections Data source: MDATP Retrieves list of network connections for a host Parameters ---------- add_query_items: str (optional) Additional query clauses end: datetime (optional) Query end time start: datetime (optional) Query start time (default value is: -30) table: str (optional) Table name (default value is: NetworkCommunicationEvents ) Query: {table} | where EventTime >= datetime({start}) | where EventTime <= datetime({end}) {add_query_items}
Execute queries with default parameters:
md_prov.MDATP.list_alerts()
AlertId | EventTime | MachineId | ComputerName | Severity | Category | Title | FileName | SHA1 | RemoteUrl | RemoteIP | ReportId | Table | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | da637111553314888493_-215032980 | 2019-12-08T17:22:37.8742974Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Medium | DefenseEvasion | Suspicious process injection observed | notepad.exe | b6d237154f2e528f0b503b58b025862d66b02b73 | 454 | MiscEvents | ||
1 | da637111470533220658_-1814166510 | 2019-12-05T12:34:34.7864124Z | 1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739 | olaa-win10pro-1607 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | powershell.exe | 044a0cf1f6bc478a7172bf207eef1e201a18ba02 | 4369 | ProcessCreationEvents | ||
2 | da637111470533220658_-1814166510 | 2019-12-05T12:34:34.7864124Z | 1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739 | olaa-win10pro-1607 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 99ae9c73e9bee6f9c76d6f4093a9882df06832cf | 4369 | ProcessCreationEvents | ||
3 | da637111448595540767_-885088719 | 2019-12-05T12:11:25.5486226Z | 499bdd5330f78dc82d0051c8d7a9eb9d69f88333 | nestorw-win10pro-1803 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | powershell.exe | 1b3b40fbc889fd4c645cc12c85d0805ac36ba254 | 14968 | ProcessCreationEvents | ||
4 | da637111448595540767_-885088719 | 2019-12-05T12:11:25.5486226Z | 499bdd5330f78dc82d0051c8d7a9eb9d69f88333 | nestorw-win10pro-1803 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 3ce71813199abae99348f61f0caa34e2574f831c | 14968 | ProcessCreationEvents | ||
5 | da637111835325717564_-1865655676 | 2019-12-05T16:05:46.4778106Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | powershell.exe | 36c5d12033b2eaf251bae61c00690ffb17fddc87 | 2376 | MiscEvents | ||
6 | da637111835325717564_-1865655676 | 2019-12-05T16:05:46.4778106Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | notepad.exe | d487580502354c61808c7180d1a336beb7ad4624 | 2376 | MiscEvents | ||
7 | da637111691253610692_623907060 | 2019-12-05T16:50:16.9477916Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | powershell.exe | 36c5d12033b2eaf251bae61c00690ffb17fddc87 | 915 | ProcessCreationEvents | ||
8 | da637111691253610692_623907060 | 2019-12-05T16:50:16.9477916Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 8dca9749cd48d286950e7a9fa1088c937cbccad4 | 915 | ProcessCreationEvents | ||
9 | da637111691236503999_-1316647445 | 2019-12-05T16:56:18.6397738Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | RuntimeBroker.exe | 7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27 | 1190 | MiscEvents | ||
10 | da637111691236503999_-1316647445 | 2019-12-05T16:56:18.6397738Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | RuntimeBroker.exe | 7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27 | 1190 | MiscEvents | ||
11 | da637111691236503999_-1316647445 | 2019-12-05T16:56:18.6397738Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | RuntimeBroker.exe | 7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27 | 1190 | MiscEvents | ||
12 | da637111691236503999_-1316647445 | 2019-12-05T16:56:18.6397738Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | WinATP-Intro-Backdoorgpj.exe | 79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc | 1190 | MiscEvents | ||
13 | da637111691251815824_2024877765 | 2019-12-05T16:56:18.6407635Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | Persistence | Anomaly detected in ASEP registry | WinATP-Intro-Backdoorgpj.exe | 79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc | 1187 | RegistryEvents | ||
14 | da637111691256543941_-1462732472 | 2019-12-05T16:56:18.6407635Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | Persistence | An uncommon file was created and added to a Ru... | WinATP-Intro-Backdoorgpj.exe | 79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc | 1187 | RegistryEvents | ||
15 | da637111691246094719_-1324223004 | 2019-12-05T16:56:18.6685765Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Informational | Execution | EAF violation blocked by exploit protection | RuntimeBroker.exe | 7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27 | 1191 | MiscEvents | ||
16 | da637111618734194967_-707278866 | 2019-12-05T16:56:18.8702258Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Low | Malware | An active 'Artoelo' malware was detected | WinATP-Intro-Backdoorgpj.exe | 1200 | MiscEvents | |||
17 | da637111691251004475_-451474344 | 2019-12-05T16:56:19.0725178Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Informational | Malware | 'Artoelo' malware was detected | WinATP-Intro-Backdoorgpj.exe | 79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc | 1194 | MiscEvents | ||
18 | da637111691511319089_701653122 | 2019-12-05T17:01:20.0899859Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | SuspiciousActivity | A suspicious file was observed | powershell.exe | 36c5d12033b2eaf251bae61c00690ffb17fddc87 | 1449 | FileCreationEvents | ||
19 | da637111691521375847_1538423732 | 2019-12-05T17:01:20.0899859Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | Execution | Suspicious behavior by cmd.exe was observed | powershell.exe | 36c5d12033b2eaf251bae61c00690ffb17fddc87 | 1449 | FileCreationEvents | ||
20 | da637111691521375847_1538423732 | 2019-12-05T17:12:41.4195893Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | Execution | Suspicious behavior by cmd.exe was observed | WindowsDefenderAtpProvisioningService.exe | 2f5a566429f0df02dd0dfb45be075531f332a887 | 1960 | FileCreationEvents | ||
21 | da637111691511319089_701653122 | 2019-12-05T17:12:41.4195893Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | SuspiciousActivity | A suspicious file was observed | WindowsDefenderAtpProvisioningService.exe | 2f5a566429f0df02dd0dfb45be075531f332a887 | 1960 | FileCreationEvents | ||
22 | da637111691521375847_1538423732 | 2019-12-05T17:12:41.4195893Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | Execution | Suspicious behavior by cmd.exe was observed | cmd.exe | 1960 | FileCreationEvents | |||
23 | da637111691236503999_-1316647445 | 2019-12-05T17:12:43.2754844Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | WinATP-Intro-Backdoorgpj.exe | 79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc | 1972 | MiscEvents | ||
24 | da637111691236503999_-1316647445 | 2019-12-05T17:12:43.2754844Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | RuntimeBroker.exe | 7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27 | 1972 | MiscEvents | ||
25 | da637111691236503999_-1316647445 | 2019-12-05T17:12:43.2754844Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | RuntimeBroker.exe | 7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27 | 1972 | MiscEvents | ||
26 | da637111691236503999_-1316647445 | 2019-12-05T17:12:43.2754844Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | RuntimeBroker.exe | 7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27 | 1972 | MiscEvents | ||
27 | da637111691236503999_-1316647445 | 2019-12-05T17:12:43.2754844Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | RuntimeBroker.exe | 7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27 | 1972 | MiscEvents | ||
28 | da637111691236503999_-1316647445 | 2019-12-05T17:12:43.2754844Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | WinATP-Intro-Backdoorgpj.exe | 79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc | 1972 | MiscEvents | ||
29 | da637111691251815824_2024877765 | 2019-12-05T17:12:43.2822557Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | Persistence | Anomaly detected in ASEP registry | WinATP-Intro-Backdoorgpj.exe | 79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc | 1970 | RegistryEvents | ||
30 | da637111691256543941_-1462732472 | 2019-12-05T17:12:43.2822557Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | Persistence | An uncommon file was created and added to a Ru... | WinATP-Intro-Backdoorgpj.exe | 79c3e3cffcf57dd9913a605d5e55b2fdb8ebc4dc | 1970 | RegistryEvents | ||
31 | da637111536085551266_1012263407 | 2019-12-05T14:38:34.3208724Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | powershell.exe | 6cbce4a295c163791b60fc23d285e6d84f28ee4c | 45 | ProcessCreationEvents | ||
32 | da637111536085551266_1012263407 | 2019-12-05T14:38:34.3208724Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 8c5437cd76a89ec983e3b364e219944da3dab464 | 45 | ProcessCreationEvents | ||
33 | da637111553314888493_-215032980 | 2019-12-05T15:06:20.3372768Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Medium | DefenseEvasion | Suspicious process injection observed | powershell.exe | 6cbce4a295c163791b60fc23d285e6d84f28ee4c | 256 | MiscEvents | ||
34 | da637111553314888493_-215032980 | 2019-12-05T15:06:20.3372768Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Medium | DefenseEvasion | Suspicious process injection observed | notepad.exe | b6d237154f2e528f0b503b58b025862d66b02b73 | 256 | MiscEvents | ||
35 | da637111553314888493_-215032980 | 2019-12-05T15:22:44.3072402Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Medium | DefenseEvasion | Suspicious process injection observed | powershell.exe | 6cbce4a295c163791b60fc23d285e6d84f28ee4c | 368 | MiscEvents | ||
36 | da637111553314888493_-215032980 | 2019-12-05T15:22:44.3072402Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Medium | DefenseEvasion | Suspicious process injection observed | notepad.exe | b6d237154f2e528f0b503b58b025862d66b02b73 | 368 | MiscEvents | ||
37 | da637111553314888493_-215032980 | 2019-12-05T16:02:02.3857966Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Medium | DefenseEvasion | Suspicious process injection observed | powershell.exe | 6cbce4a295c163791b60fc23d285e6d84f28ee4c | 162 | MiscEvents | ||
38 | da637111553314888493_-215032980 | 2019-12-05T16:02:02.3857966Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Medium | DefenseEvasion | Suspicious process injection observed | notepad.exe | b6d237154f2e528f0b503b58b025862d66b02b73 | 162 | MiscEvents | ||
39 | da637111536085551266_1012263407 | 2019-12-08T15:59:28.1181531Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 8c5437cd76a89ec983e3b364e219944da3dab464 | 130 | ProcessCreationEvents | ||
40 | da637111536085551266_1012263407 | 2019-12-08T15:59:28.1181531Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | powershell.exe | 6cbce4a295c163791b60fc23d285e6d84f28ee4c | 130 | ProcessCreationEvents | ||
41 | da637111536085551266_1012263407 | 2019-12-08T17:11:14.931633Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 8c5437cd76a89ec983e3b364e219944da3dab464 | 137 | ProcessCreationEvents | ||
42 | da637111536085551266_1012263407 | 2019-12-08T17:11:14.931633Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | powershell.exe | 6cbce4a295c163791b60fc23d285e6d84f28ee4c | 137 | ProcessCreationEvents | ||
43 | da637111553314888493_-215032980 | 2019-12-08T17:22:37.8742974Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Medium | DefenseEvasion | Suspicious process injection observed | powershell.exe | 6cbce4a295c163791b60fc23d285e6d84f28ee4c | 454 | MiscEvents |
Execute queries with custom parameters:
md_prov.MDATP.list_alerts(start="-30", add_query_items="| summarize count() by Severity")
Severity | count_ | |
---|---|---|
0 | Medium | 29 |
1 | Informational | 14 |
2 | Low | 1 |
Print a fully constructed query for debug purposes:
md_prov.MDATP.list_alerts("print", start="-30", add_query_items="| summarize count() by Severity")
' AlertEvents | where EventTime >= datetime(2019-12-03T23:24:40.794583Z) | where EventTime <= datetime(2020-01-02T23:24:40.794583Z) | summarize count() by Severity'
Execute a custom query:
query = "AlertEvents | sample 10"
md_prov.exec_query(query)
AlertId | EventTime | MachineId | ComputerName | Severity | Category | Title | FileName | SHA1 | RemoteUrl | RemoteIP | ReportId | Table | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | da637111553314888493_-215032980 | 2019-12-08T17:22:37.8742974Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Medium | DefenseEvasion | Suspicious process injection observed | notepad.exe | b6d237154f2e528f0b503b58b025862d66b02b73 | 454 | MiscEvents | ||
1 | da637111536085551266_1012263407 | 2019-12-08T17:11:14.931633Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 8c5437cd76a89ec983e3b364e219944da3dab464 | 137 | ProcessCreationEvents | ||
2 | da637111470533220658_-1814166510 | 2019-12-05T12:34:34.7864124Z | 1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739 | olaa-win10pro-1607 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 99ae9c73e9bee6f9c76d6f4093a9882df06832cf | 4369 | ProcessCreationEvents | ||
3 | da637111448595540767_-885088719 | 2019-12-05T12:11:25.5486226Z | 499bdd5330f78dc82d0051c8d7a9eb9d69f88333 | nestorw-win10pro-1803 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | powershell.exe | 1b3b40fbc889fd4c645cc12c85d0805ac36ba254 | 14968 | ProcessCreationEvents | ||
4 | da637111691236503999_-1316647445 | 2019-12-05T16:56:18.6397738Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | RuntimeBroker.exe | 7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27 | 1190 | MiscEvents | ||
5 | da637111835325717564_-1865655676 | 2019-12-05T16:05:46.4778106Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | powershell.exe | 36c5d12033b2eaf251bae61c00690ffb17fddc87 | 2376 | MiscEvents | ||
6 | da637111835325717564_-1865655676 | 2019-12-05T16:05:46.4778106Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Medium | DefenseEvasion | Suspicious process injection observed | notepad.exe | d487580502354c61808c7180d1a336beb7ad4624 | 2376 | MiscEvents | ||
7 | da637111691253610692_623907060 | 2019-12-05T16:50:16.9477916Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | powershell.exe | 36c5d12033b2eaf251bae61c00690ffb17fddc87 | 915 | ProcessCreationEvents | ||
8 | da637111691253610692_623907060 | 2019-12-05T16:50:16.9477916Z | be333ec5312b6aaf4936cc33784577857108bc3a | arifb-win10edun-1903 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 8dca9749cd48d286950e7a9fa1088c937cbccad4 | 915 | ProcessCreationEvents | ||
9 | da637111536085551266_1012263407 | 2019-12-08T15:59:28.1181531Z | f17cf15efe963a9810a0ad1c1842db543bba8775 | pradeepg-win10entn-1809 | Informational | Execution | [Test Alert] Suspicious Powershell commandline | cmd.exe | 8c5437cd76a89ec983e3b364e219944da3dab464 | 130 | ProcessCreationEvents |