Visualizer Archives - Wavecrest Knowledge Base

Defender Data Source Field Definitions

An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.

Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.

Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

Field Name	Definition
incidentId	Unique identifier to represent the incident
redirectIncidentId	Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic.
incidentName	String value available for every incident.
createdTime	Time when incident was first created.
lastUpdateTime	Time when the incident was last updated on the backend.This field can be used when you’re setting the request parameter for the range of time that incidents are retrieved.
assignedTo	Owner of the incident, or null if no owner is assigned.
classification	The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive
determination	Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other
detectionSource	Specifies source of detection.
status	Categorize incidents (as Active, or Resolved). It can help you organize and manage your response to incidents.
severity	Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.One of the following values: Informational, Low, *Medium, and High.
tags	Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.
comments	Array of comments created by secops when managing the incident, for example additional information about the classification selection.
alerts	Array containing all of the alerts related to the incident, plus other information, such as severity, entities that were involved in the alert, and the source of the alerts.
alertId	Unique identifier to represent the alert
incidentId	Unique identifier to represent the incident this alert is associated with
serviceSource	Service that the alert originates from, such as Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, or Microsoft Defender for Office 365.
creationTime	Time when alert was first created.
lastUpdatedTime	Time when alert was last updated at the backend.
resolvedTime	Time when alert was resolved.
firstActivity	Time when alert first reported that activity was updated at the backend.
title	Brief identifying string value available for each alert.
description	String value describing each alert.
category	Visual and numeric view of how far the attack has progressed along the kill chain. Aligned to the MITRE ATT&CK™ framework.
status	Categorize alerts (as New, Active, or Resolved). It can help you organize and manage your response to alerts.
severity	Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. One of the following values: Informational, Low, Medium, and High.
investigationId	The automated investigation ID triggered by this alert.
investigationState	Information on the investigation’s current status. One of the following values: Unknown, Terminated, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, TerminatedByUser, TerminatedBySystem, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert.
classification	The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive, or null
determination	Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null
assignedTo	Owner of the incident, or null if no owner is assigned.
actorName	The activity group, if any, the associated with this alert.
threatFamilyName	Threat family associated with this alert.
mitreTechniques	The attack techniques, as aligned with the MITRE ATT&CK™ framework.
devices	All devices where alerts related to the incident were sent.
DeviceId	The device ID as designated in Microsoft Defender for Endpoint.
aadDeviceId	The device ID as designated in Azure Active Directory. Only available for domain-joined devices.
deviceDnsName	The fully qualified domain name for the device.
osPlatform	The OS platform the device is running.
osBuild	The build version for the OS the device is running.
rbacGroupName	The role-based access control (RBAC) group associated with the device.
firstSeen	Time when device was first seen.
healthStatus	The health state of the device.
riskScore	The risk score for the device.
entities	All entities that have been identified to be part of, or related to, a given alert.
entityType	Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry
sha1	Available if entityType is File. The file hash for alerts associated with a file or process.
sha256	Available if entityType is File. The file hash for alerts associated with a file or process.
fileName	Available if entityType is File. The file name for alerts associated with a file or process
filePath	Available if entityType is File. The file path for alerts associated with a file or process
processId	Available if entityType is Process.
processCommandLine	Available if entityType is Process.
processCreationTime	Available if entityType is Process.
parentProcessId	Available if entityType is Process.
parentProcessCreationTime	Available if entityType is Process.
ipAddress	Available if entityType is Ip. IP address for alerts associated with network events, such as Communication to a malicious network destination.
url	Available if entityType is Url. Url for alerts associated to network events, such as, Communication to a malicious network destination.
accountName	Available if entityType is User.
domainName	Available if entityType is User.
userSid	Available if entityType is User.
aadUserId	Available if entityType is User.
userPrincipalName	Available if entityType is User/MailBox/MailMessage.
mailboxDisplayName	Available if entityType is MailBox.
mailboxAddress	Available if entityType is User/MailBox/MailMessage.
clusterBy	Available if entityType is MailCluster.
sender	Available if entityType is User/MailBox/MailMessage.
recipient	Available if entityType is MailMessage.
subject	Available if entityType is MailMessage.
deliveryAction	Available if entityType is MailMessage.
securityGroupId	Available if entityType is SecurityGroup.
securityGroupName	Available if entityType is SecurityGroup.
registryHive	Available if entityType is Registry.
registryKey	Available if entityType is Registry.
registryValueType	Available if entityType is Registry.
registryValue	Available if entityType is Registry.
deviceId	The ID, if any, of the device related to the entity.

Web Data Source Field Definitions

Category: Panel, Visualizer

Field Name	Definition
appsite	Friendly name for a Website or Application
authtype
blocked	This occurs because the user is not authorized to access the site, that is, his access has been “blocked.” However, it can also be caused by technical anomalies, for example, “page not found by server.”
bytes	Number of total bytes (transmit and receive) for the session.
category	Describes the content of a Web page that was visited.
classification	User defined classification for the website content that was visited. Values could be any of the following: Acceptable, Unacceptable and Neutral
clientin
clientout
contenttype	Refers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc.
datetime	Date time stamp associated with each recrod hit
domain	A fully qualified domain name (FQDN) is a complete and unambiguous domain name that specifies the exact location of a specific resource on the internet.
group	Organizational groups are structured in a hierarchical manner, forming a tree-like structure.
hit	Number of records (represents a record count)
identity
ip	Source IP Address
network
outboundip	Destination IP Address
proxyport
refererdomain	HTTP header field that indicates the URL or domain from which a user navigated to the current page.
resultcode	HTTP status codes that are used to indicate the result or status of an HTTP request made to a web server. Some commonly encountered codes are: 200 OK, 404 Not Found, etc.
searchterms	Search query or keyword, refers to the specific words or phrases that a user enters into a search engine to find information on a particular topic.
serverin
serverout
source
timeonline	An approximation of the time that a user spends on the Internet. Wavecrest’s Smart Engine algorithms can produce the most accurate time online measurement.
user	Field refers to the information recorded about the user associated with a specific network connection or traffic event.
useragent	HTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client.
visit	A click action for the purpose of visiting a Web site. One click equals one request for a Web page.

Palo Alto Data Source Field Definitions

Category: Panel, Visualizer

Field Name	Definition
action	Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
action_source	Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
application	Application associated with the session.
application_category	The application category specified in the application configuration properties.
application_risk	Risk level associated with the application (1=lowest to 5=highest).
application_saas	Displays yes if a SaaS application or no if not a SaaS application.
application_subcategory	The application subcategory specified in the application configuration properties.
application_technology	The application technology specified in the application configuration properties.
bytes	Number of total bytes (transmit and receive) for the session.
category	Describes the content of a Web page that was visited.
contenttype	Refers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc.
datetime	Date time stamp associated with each recrod hit
dest_country	Destination country or Internal region for private addresses.
dest_ip	Original session destination IP address.
dest_zone	Zone the session was destined to.
deviceLogType
direction	Indicates the direction of the attack, client-to-server or server-to-client
group	Organizational groups are structured in a hierarchical manner, forming a tree-like structure.
hit	Number of records (represents a record count)
http2_connection	Identifies if traffic used an HTTP/2 Connection or not
identity
ip	Original session source IP address.
ip_protocol	IP protocol associated with the session.
port	Destination port utilized by the session.
recordName
referrer
results
rule	Name of the rule that the session matched.
severity
source
source_zone	Zone the session was sourced from.
threat_category	Describes threat categories used to classify different types of threat signatures.
Threat_contenttype	Subtype of the threat and traffic log
threat_id	Palo Alto Networks identifier for known and custom threats.
type	Specifies the type of log;
url
user	Field refers to the information recorded about the user associated with a specific network connection or traffic event.
useragent	HTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client.

Getting Started – Visualizer

Category: Dashboard, Panel, Visualizer

After logging into the visualizer you will be presented with a default blank dashboard. To start adding reports panels to your new dashboard please follow the below instructions:

Click “Add New Panel” to get started.
On the next screen, “New Panel,” you will be presented with two options:
- Create From Template: As you create panels you will have the option of creating a new panel based on an existing template you previously created.
- Create New Panel: Select this option to build a new panel.

Visualizer Getting Started

Manage Dashboards

Category: Dashboard, Visualizer

To manage your dashboard follow these steps:

Click “Manage Dashboards” icon to manage all created dashboards.
On this screen you have the ability to:
- Change the order your dashboard tabs are displayed.
- Rename your dashboards.
- Delete any dashboard.

Add a new Dashboard

Category: Dashboard, Visualizer

To add a new dashboard following these steps:

Click the “Add Dashboard” icon located in the top right corner of your dashboard.
Select one of two options, “Create from Template” or “Create New Dashboard.”
- Create from Template: To create a new dashboard from an existing template.
- Create New dashboard: To create a new dashboard.

Panel Filter

Category: Panel, Visualizer

How to create a panel filter:

You will first have to configure your “Data Source” before you can create your first filter.
Select “Filtering” tab on the panel configuration screen.
Click “Add Filter.” Note: The first created filter “Logic” field is locked as the “AND” operator.
Select whether the filter should “include” or “exclude” your field.
Select the match logic to use on your field.
If you are just adding a single panel filter, click “Add.” If additional panel filters are needed, click “Add + New.”

Print Panel

Category: Dashboard, Panel, Visualizer

To print a panel, follow these instructions:

Click the arrow next to the panel title ““.
On the Panel actions popup click “Print Chart.”
The chart will now appear in its own browser tab.
Use the browser print options to either print or save as PDF.

Delete Panel

Category: Dashboard, Visualizer

To delete a panel follow these steps:

Click the arrow next to the panel title ““.
On the Panel actions popup click “Delete.”
- Important Note: This will delete the panel from the Dashboard and from the panel templates. If you want to use this chart on a different dashboard, make sure you have duplicated it before deleting.

Add Panel

Category: Dashboard, Visualizer

To add a new panel follow these steps:

Click the “Add Panel” icon located in the top right corner of your dashboard.
Next you will be presented with two options, “Create from Template” or “Create New Panel.”
- Create from Template: If you want to create a new panel from an existing panel.
- Create New Panel: If you are creating a brand new panel.