Skip to main content

New Endpoint Alert

Triggers a workflow on every new Microsoft Defender For Endpoints alert created.

info

Automations based on this trigger will search for new events every 5 minutes.

Parameters

ParameterDescription
Additional FilterAn additional filter by which to limit the type of alerts. Allowed fields: incidentId,InvestigationId, status, severity, and category.

Sample Event

{
    "id": "da637308392288907382_-880718168",
    "incidentId": 7587,
    "investigationId": 723156,
    "assignedTo": "secop123@contoso.com",
    "severity": "Low",
    "status": "New",
    "classification": "TruePositive",
    "determination": null,
    "investigationState": "Queued",
    "detectionSource": "WindowsDefenderAv",
    "category": "SuspiciousActivity",
    "threatFamilyName": "Meterpreter",
    "title": "Suspicious 'Meterpreter' behavior was detected",
    "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
    "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
    "firstEventTime": "2020-07-20T10:52:17.6654369Z",
    "lastEventTime": "2020-07-20T10:52:18.1362905Z",
    "lastUpdateTime": "2020-07-20T10:53:50.19Z",
    "resolvedTime": null,
    "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
    "computerDnsName": "temp123.middleeast.corp.microsoft.com",
    "rbacGroupName": "MiddleEast",
    "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
    "threatName": null,
    "mitreTechniques": [
        "T1064",
        "T1085",
        "T1220"
    ],
    "relatedUser": {
        "userName": "temp123",
        "domainName": "DOMAIN"
    },
    "comments": [
        {
            "comment": "test comment for docs",
            "createdBy": "secop123@contoso.com",
            "createdTime": "2020-07-21T01:00:37.8404534Z"
        }
    ],
    "evidence": []
}