Microsoft Defender ATP Alerts

name: Microsoft Defender ATP Alerts
id: 38f034ed-1598-46c8-95e8-14edf05fdf5d
version: 7
date: '2026-04-16'
author: Bryan Pluta, Bhavin Patel, Splunk
status: production
type: TTP
data_source:
    - MS Defender ATP Alerts
description: The following analytic is to leverage alerts from Microsoft Defender ATP Alerts. This query aggregates and summarizes all alerts from Microsoft Defender ATP Alerts, providing details such as the source, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk object, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a dynamic mapping to set the risk score in Enterprise Security based on the severity of the alert.
search: "`ms_defender_atp_alerts` (dest=* OR user=*)\n  | eval tmp_evidence=json_extract(_raw, \"evidence\"), tmp_evidencemv=json_array_to_mv(tmp_evidence), entityType = mvmap(tmp_evidencemv, spath(tmp_evidencemv, \"entityType\")), filePath = mvmap(tmp_evidencemv, spath(tmp_evidencemv, \"filePath\")), processCommandLine = mvmap(tmp_evidencemv, spath(tmp_evidencemv, \"processCommandLine\")), ipAddress = mvmap(tmp_evidencemv, spath(tmp_evidencemv, \"ipAddress\")), registryKey = mvmap(tmp_evidencemv, spath(tmp_evidencemv, \"registryKey\")), url = mvmap(tmp_evidencemv, spath(tmp_evidencemv, \"url\")), fileName = mvmap(tmp_evidencemv, spath(tmp_evidencemv, \"fileName\"))\n  | eval tmp_evidencemv=mvfilter(json_extract(tmp_evidencemv, \"entityType\") = \"File\"), fileName = mvmap(tmp_evidencemv, spath(tmp_evidencemv, \"fileName\"))\n  | eval risk_score=case(severity=\"informational\", 5, severity=\"low\", 15, severity=\"medium\", 25, severity=\"high\", 50 , true(), 2)\n  | eval processCommandLine=if(processCommandLine=\"null\", \"\", processCommandLine), ipAddress=if(ipAddress=\"null\", \"\", ipAddress), registryKey=if(registryKey=\"null\", \"\", registryKey), url=if(url=\"null\", \"\", url)\n  | stats count min(_time) as firstTime max(_time) as lastTime values(fileName) as file_name values(severity) as severity values(processCommandLine) as process values(ipAddress) as ip_address values(registryKey) as registry_key values(url) as url values(mitreTechniques{}) as annotations.mitre_attack.mitre_technique_id values(signature) as signature values(user) as user values(risk_score) as risk_score\n    BY id description src\n  | `security_content_ctime(firstTime)`\n  | `security_content_ctime(lastTime)`\n  | `microsoft_defender_atp_alerts_filter`"
how_to_implement: In order to properly run this search, you need to ingest alerts data from Microsoft Defender, specifcally using the Splunk add-on for Microsoft Security. This add-on will collect alerts using the ms:defender:atp:alerts sourcetype. You will need to define the `ms_defender_atp_alerts` macro to point to the proper index that contains the ms:defender:atp:alerts sourcetype.
known_false_positives: False positives may vary based on Microsfot Defender configuration; monitor and filter out the alerts that are not relevant to your environment.
references:
    - https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents?view=o365-worldwide
    - https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0
    - https://splunkbase.splunk.com/app/6207
    - https://jasonconger.com/splunk-azure-gdi/
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: '0'
rba:
    message: $severity$ alert for $src$ - $signature$
    risk_objects:
        - field: src
          type: system
          score: 50
        - field: user
          type: user
          score: 50
    threat_objects:
        - field: file_name
          type: file_name
        - field: process
          type: process_name
        - field: ip_address
          type: ip_address
        - field: registry_key
          type: registry_path
        - field: url
          type: url
tags:
    analytic_story:
        - Critical Alerts
    asset_type: Endpoint
    atomic_guid: []
    mitre_attack_id: []
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
    manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty.
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/defender_atp_alerts_single_event.log
          source: ms_defender_atp_alerts
          sourcetype: ms:defender:atp:alerts