Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'This query looks for Microsoft Defender AV detections related to Europium actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available. Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-ag
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Standalone Content |
| ID | 186970ee-5001-41c1-8c73-3178f75ce96a |
| Severity | High |
| Kind | Scheduled |
| Tactics | Impact |
| Techniques | T1486 |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
DeviceInfo |
✓ | ✗ | ? |
SecurityAlert |
✓ | ✗ | ? |
The following connectors provide data for this content item:
Solutions: IoTOTThreatMonitoringwithDefenderforIoT, Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Entra ID Protection, MicrosoftDefenderForEndpoint, MicrosoftPurviewInsiderRiskManagement
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊