splunk · nasbench · Apr 13, 2026 · Apr 8, 2026 · Apr 13, 2026
@@ -1,13 +1,13 @@
 name: Microsoft Defender ATP Alerts
 id: 38f034ed-1598-46c8-95e8-14edf05fdf5d
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-04-08'
 author: Bryan Pluta, Bhavin Patel, Splunk
 status: production
 type: TTP
 data_source:
     - MS Defender ATP Alerts
-description: The following analytic is to leverage alerts from Microsoft Defender ATP Alerts. This query aggregates and summarizes all alerts from Microsoft Defender ATP Alerts, providing details such as the source, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk obejct, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a dynamic mapping to set the risk score in Enterprise Security based on the severity of the alert.
+description: The following analytic is to leverage alerts from Microsoft Defender ATP Alerts. This query aggregates and summarizes all alerts from Microsoft Defender ATP Alerts, providing details such as the source, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk object, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a dynamic mapping to set the risk score in Enterprise Security based on the severity of the alert.
 search: |-
     `ms_defender_atp_alerts` (dest=* OR user=*)
       | eval tmp_evidence=json_extract(_raw, "evidence"), tmp_evidencemv=json_array_to_mv(tmp_evidence), entityType = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "entityType")), filePath = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "filePath")), processCommandLine = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "processCommandLine")), ipAddress = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "ipAddress")), registryKey = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "registryKey")), url = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "url")), fileName = mvmap(tmp_evidencemv, spath(tmp_evidencemv, "fileName"))

@@ -1,13 +1,13 @@
 name: Microsoft Defender Incident Alerts
 id: 13435b55-afd8-46d4-9045-7d5457f430a5
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-04-08'
 author: Bryan Pluta, Bhavin Patel, Splunk, lyonheart14, Github Community
 status: production
 type: TTP
 data_source:
     - MS365 Defender Incident Alerts
-description: The following analytic is to leverage alerts from Microsoft Defender O365 Incidents. This query aggregates and summarizes all alerts from Microsoft Defender O365 Incidents, providing details such as the destination, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk obejct, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a static mapping to set the risk score based on the severity of the alert.
+description: The following analytic is to leverage alerts from Microsoft Defender O365 Incidents. This query aggregates and summarizes all alerts from Microsoft Defender O365 Incidents, providing details such as the destination, file name, severity, process command line, ip address, registry key, signature, description, unique id, and timestamps. This detection is not intended to detect new activity from raw data, but leverages Microsoft provided alerts to be correlated with other data as part of risk based alerting. The data contained in the alert is mapped not only to the risk object, but also the threat object. This detection filters out evidence that has a verdict of clean from Microsoft. It dynamically maps the MITRE technique at search time to auto populate the annotation field with the value provided in the alert. It also uses a static mapping to set the risk score based on the severity of the alert.
 search: |-
     `ms365_defender_incident_alerts`  (dest=* OR user=*)
       | eval tmp_entities=json_extract(_raw, "entities"), tmp_entitymv=json_array_to_mv(tmp_entities), tmp_filtered_mv=mvfilter(json_extract(tmp_entitymv, "verdict") != "Clean"), entityType = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "entityType")), filePath = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "filePath")), processCommandLine = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "processCommandLine")), ipAddress = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "ipAddress")), registryKey = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "registryKey")), url = mvmap(tmp_filtered_mv, spath(tmp_filtered_mv, "url"))