Skip to content Skip to main navigation Skip to footer

Visualizer

Defender Data Source Field Definitions

An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.

Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.

Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

Field NameDefinition
incidentIdUnique identifier to represent the incident
redirectIncidentIdOnly populated in case an incident is being grouped together with another incident, as part of the incident processing logic.
incidentNameString value available for every incident.
createdTimeTime when incident was first created.
lastUpdateTimeTime when the incident was last updated on the backend.This field can be used when you’re setting the request parameter for the range of time that incidents are retrieved.
assignedToOwner of the incident, or null if no owner is assigned.
classificationThe specification for the incident. The property values are: Unknown, FalsePositive, TruePositive
determinationSpecifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other
detectionSourceSpecifies source of detection.
statusCategorize incidents (as Active, or Resolved). It can help you organize and manage your response to incidents.
severityIndicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.One of the following values: Informational, Low, *Medium, and High.
tagsArray of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.
commentsArray of comments created by secops when managing the incident, for example additional information about the classification selection.
alertsArray containing all of the alerts related to the incident, plus other information, such as severity, entities that were involved in the alert, and the source of the alerts.
alertIdUnique identifier to represent the alert
incidentIdUnique identifier to represent the incident this alert is associated with
serviceSourceService that the alert originates from, such as Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, or Microsoft Defender for Office 365.
creationTimeTime when alert was first created.
lastUpdatedTimeTime when alert was last updated at the backend.
resolvedTimeTime when alert was resolved.
firstActivityTime when alert first reported that activity was updated at the backend.
titleBrief identifying string value available for each alert.
descriptionString value describing each alert.
categoryVisual and numeric view of how far the attack has progressed along the kill chain. Aligned to the MITRE ATT&CK™ framework.
statusCategorize alerts (as New, Active, or Resolved). It can help you organize and manage your response to alerts.
severityIndicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.
One of the following values: Informational, Low, Medium, and High.
investigationIdThe automated investigation ID triggered by this alert.
investigationStateInformation on the investigation’s current status. One of the following values: Unknown, Terminated, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, TerminatedByUser, TerminatedBySystem, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert.
classificationThe specification for the incident. The property values are: Unknown, FalsePositive, TruePositive, or null
determinationSpecifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null
assignedToOwner of the incident, or null if no owner is assigned.
actorNameThe activity group, if any, the associated with this alert.
threatFamilyNameThreat family associated with this alert.
mitreTechniquesThe attack techniques, as aligned with the MITRE ATT&CK™ framework.
devicesAll devices where alerts related to the incident were sent.
DeviceIdThe device ID as designated in Microsoft Defender for Endpoint.
aadDeviceIdThe device ID as designated in Azure Active Directory. Only available for domain-joined devices.
deviceDnsNameThe fully qualified domain name for the device.
osPlatformThe OS platform the device is running.
osBuildThe build version for the OS the device is running.
rbacGroupNameThe role-based access control (RBAC) group associated with the device.
firstSeenTime when device was first seen.
healthStatusThe health state of the device.
riskScoreThe risk score for the device.
entitiesAll entities that have been identified to be part of, or related to, a given alert.
entityTypeEntities that have been identified to be part of, or related to, a given alert.
The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry
sha1Available if entityType is File.
The file hash for alerts associated with a file or process.
sha256Available if entityType is File.
The file hash for alerts associated with a file or process.
fileNameAvailable if entityType is File.
The file name for alerts associated with a file or process
filePathAvailable if entityType is File.
The file path for alerts associated with a file or process
processIdAvailable if entityType is Process.
processCommandLineAvailable if entityType is Process.
processCreationTimeAvailable if entityType is Process.
parentProcessIdAvailable if entityType is Process.
parentProcessCreationTimeAvailable if entityType is Process.
ipAddressAvailable if entityType is Ip.
IP address for alerts associated with network events, such as Communication to a malicious network destination.
urlAvailable if entityType is Url.
Url for alerts associated to network events, such as, Communication to a malicious network destination.
accountNameAvailable if entityType is User.
domainNameAvailable if entityType is User.
userSidAvailable if entityType is User.
aadUserIdAvailable if entityType is User.
userPrincipalNameAvailable if entityType is User/MailBox/MailMessage.
mailboxDisplayNameAvailable if entityType is MailBox.
mailboxAddressAvailable if entityType is User/MailBox/MailMessage.
clusterByAvailable if entityType is MailCluster.
senderAvailable if entityType is User/MailBox/MailMessage.
recipientAvailable if entityType is MailMessage.
subjectAvailable if entityType is MailMessage.
deliveryActionAvailable if entityType is MailMessage.
securityGroupIdAvailable if entityType is SecurityGroup.
securityGroupNameAvailable if entityType is SecurityGroup.
registryHiveAvailable if entityType is Registry.
registryKeyAvailable if entityType is Registry.
registryValueTypeAvailable if entityType is Registry.
registryValueAvailable if entityType is Registry.
deviceIdThe ID, if any, of the device related to the entity.

Web Data Source Field Definitions

Field NameDefinition
appsiteFriendly name for a Website or Application
authtype
blockedThis occurs because the user is not authorized to access the site, that is, his access has been “blocked.” However, it can also be caused by technical anomalies, for example, “page not found by server.”
bytesNumber of total bytes (transmit and receive) for the session.
categoryDescribes the content of a Web page that was visited.
classificationUser defined classification for the website content that was visited. Values could be any of the following: Acceptable, Unacceptable and Neutral
clientin
clientout
contenttypeRefers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc.
datetimeDate time stamp associated with each recrod hit
domainA fully qualified domain name (FQDN) is a complete and unambiguous domain name that specifies the exact location of a specific resource on the internet.
groupOrganizational groups are structured in a hierarchical manner, forming a tree-like structure.
hitNumber of records (represents a record count)
identity
ipSource IP Address
network
outboundipDestination IP Address
proxyport
refererdomainHTTP header field that indicates the URL or domain from which a user navigated to the current page.
resultcodeHTTP status codes that are used to indicate the result or status of an HTTP request made to a web server. Some commonly encountered codes are: 200 OK, 404 Not Found, etc.
searchtermsSearch query or keyword, refers to the specific words or phrases that a user enters into a search engine to find information on a particular topic.
serverin
serverout
source
timeonlineAn approximation of the time that a user spends on the Internet. Wavecrest’s Smart Engine algorithms can produce the most accurate time online measurement.
userField refers to the information recorded about the user associated with a specific network connection or traffic event.
useragentHTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client.
visitA click action for the purpose of visiting a Web site. One click equals one request for a Web page.

Palo Alto Data Source Field Definitions

Field NameDefinition
actionAction taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
action_sourceSpecifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
applicationApplication associated with the session.
application_categoryThe application category specified in the application configuration properties.
application_riskRisk level associated with the application (1=lowest to 5=highest).
application_saasDisplays yes if a SaaS application or no if not a SaaS application.
application_subcategoryThe application subcategory specified in the application configuration properties.
application_technologyThe application technology specified in the application configuration properties.
bytesNumber of total bytes (transmit and receive) for the session.
categoryDescribes the content of a Web page that was visited.
contenttypeRefers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc.
datetimeDate time stamp associated with each recrod hit
dest_countryDestination country or Internal region for private addresses.
dest_ipOriginal session destination IP address.
dest_zoneZone the session was destined to.
deviceLogType
directionIndicates the direction of the attack, client-to-server or server-to-client
groupOrganizational groups are structured in a hierarchical manner, forming a tree-like structure.
hitNumber of records (represents a record count)
http2_connectionIdentifies if traffic used an HTTP/2 Connection or not
identity
ipOriginal session source IP address.
ip_protocolIP protocol associated with the session.
portDestination port utilized by the session.
recordName
referrer
results
ruleName of the rule that the session matched.
severity
source
source_zoneZone the session was sourced from.
threat_categoryDescribes threat categories used to classify different types of threat signatures.
Threat_contenttypeSubtype of the threat and traffic log
threat_idPalo Alto Networks identifier for known and custom threats.
typeSpecifies the type of log;
url
userField refers to the information recorded about the user associated with a specific network connection or traffic event.
useragentHTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client.

Getting Started – Visualizer

After logging into the visualizer you will be presented with a default blank dashboard. To start adding reports panels to your new dashboard please follow the below instructions:

  • Click “Add New Panel” to get started.
  • On the next screen, “New Panel,” you will be presented with two options:
    • Create From Template: As you create panels you will have the option of creating a new panel based on an existing template you previously created.
    • Create New Panel: Select this option to build a new panel.
Visualizer Getting Started

Manage Dashboards

To manage your dashboard follow these steps:

  • Click “Manage Dashboards” icon to manage all created dashboards.
  • On this screen you have the ability to:
    • Change the order your dashboard tabs are displayed.
    • Rename your dashboards.
    • Delete any dashboard.

Add a new Dashboard

To add a new dashboard following these steps:

  • Click the “Add Dashboard” icon located in the top right corner of your dashboard.
  • Select one of two options, “Create from Template” or “Create New Dashboard.”
    • Create from Template: To create a new dashboard from an existing template.
    • Create New dashboard: To create a new dashboard.

Panel Filter

How to create a panel filter:

  • You will first have to configure your “Data Source” before you can create your first filter.
  • Select “Filtering” tab on the panel configuration screen.
  • Click “Add Filter.” Note: The first created filter “Logic” field is locked as the “AND” operator.
  • Select whether the filter should “include” or “exclude” your field.
  • Select the match logic to use on your field.
  • If you are just adding a single panel filter, click “Add.” If additional panel filters are needed, click “Add + New.”

Print Panel

To print a panel, follow these instructions:

  • Click the arrow next to the panel title ““.
  • On the Panel actions popup click “Print Chart.”
  • The chart will now appear in its own browser tab.
  • Use the browser print options to either print or save as PDF.

Delete Panel

To delete a panel follow these steps:

  • Click the arrow next to the panel title ““.
  • On the Panel actions popup click “Delete.”
    • Important Note: This will delete the panel from the Dashboard and from the panel templates. If you want to use this chart on a different dashboard, make sure you have duplicated it before deleting.

Add Panel

To add a new panel follow these steps:

  • Click the “Add Panel” icon located in the top right corner of your dashboard.
  • Next you will be presented with two options, “Create from Template” or “Create New Panel.”
    • Create from Template: If you want to create a new panel from an existing panel.
    • Create New Panel: If you are creating a brand new panel.