CodingAnarchy/nokogiri_test.eml

## nokogiri_test.eml
Return-Path: <SentinelAlerts@foobar.com>
Received-SPF: pass (spfCheck: domain of foobar.com designates 192.168.0.1 as permitted sender) client-ip=192.168.0.1; envelope-from=SentinelAlerts@foobar.com; helo=mail-dm6nam10on2114.outbound.protection.outlook.com;
Authentication-Results: amazonses.com;
 spf=pass (spfCheck: domain of foobar.com designates 192.168.0.1 as permitted sender) client-ip=192.168.0.1; envelope-from=SentinelAlerts@foobar.com; helo=mail-dm6nam10on2114.outbound.protection.outlook.com;
 dkim=pass header.i=@foobar.com;
 dmarc=pass header.from=foobar.com;
X-SES-RECEIPT: AEFBQUFBQUFBQUFFOG93TThhdmZYL0dpV1l4dXpSblIyODRaMGdtVGU3QVF5UW9SKzc3aE9jbU5LL3dxdmJXYUNnaHZBMGtOdGNxK1kxZ2NKTHJXWGdNVGZKS1kwUGJyNlRHNjRqdjN4ZVJSUHlQRjlvb1lSN1NObzBEcEN3OHNJejdmQThZQStYbHBBK2xtWEZSSUQ5V0dwdUk2RzBJeFpjLzNjdS9hTjVJSjlpN1AraUxicnBxQUFJZ0VTTEtWZ1RzSkpiRGtNb2cyQkVnY25xOGZkZEorTzhkbXVZMFlKTnFWSGpTQTI2VnY5QW1ER2srY3I2N3NTc3F6dG5McFVPSTJ6ZU90c2NzT1BJUlA5YkR1MmVDQkV2VUdkUDRlcEZ2Mm1qUU0reFJjeWhzQ1BPS0sweVN4NFgzRndWOG96QVFRek1la2k0L2c9
X-SES-DKIM-SIGNATURE: a=rsa-sha256; q=dns/txt; b=VDpanH/8lL7WIGp7KGQhppLBAEGzqW8B2mV4ufBHMS7hvekaIb7KUb8xxDMJj7veATaf+0JR9mDDG+Lqa2zsnMcseFmqacLhq/7JK3XKM1Za+5NLwqDB1v+AYbm93lvubjU33RrzOVCpO49DwDghxn++LIzFps8DNNIOmEXiXmc=; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1597316434; v=1; bh=jE9nfSfqyI0hT/PezYPjnxYHMIhO83PA6mH+6clU4XA=; h=From:To:Cc:Bcc:Subject:Date:Message-ID:MIME-Version:Content-Type:X-SES-RECEIPT;
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=oMiniuen1BCC+srwcXAVFvsdH4DFVZZOfmcqWxR1Q3FwLDgb9/8EscsTrgZzBUhCy6utLd4srW50sfjAOlbnGDcYkgm8+e+FCZ5s6C8ZYf6wex2+il8Rwga0tQ6xJruGxD7ggM6z3geLoemsznnWe166Q/6CP7vBI0MzJgolktOHAYEoXHLEx/zSape/eHwO5QcWAKNnfrjZk7AOccR6BtvSt2KXz+XcAGQhWCXBvQ5XQ2llwBU/3/zKAmuvZlHGATrm8XLXlFOnR90OfLkevt7+B60wT0YXFQpv/X0OxouwPW+UEBOjrz91gkjkK6zzBoNBeAplf6/elUyrxtmkFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=I5YdXn+3yNsMg3xhqljwwzX6zv6F63Xu6ie8STp8QK8=;
 b=a4wpd2ZN2mc9PS6sIE+mV+aDY6cLSsGJnn19DnomaT2pvAO+5LPxi07zglKFhnDwT/Ft+BDhNWKvgWxgVveEHvgUcVvKPLqBlFuQAhzqm4bkcr5qH6svUsK+1DaqMH/GocYnSt1NViVEDMImiCBg0T/wveisk9KZs0wHkhsZxYLdmqwi1vTGfspixzFGCNuLRd0+SIKt4GBkOjhJXRlBbzLs0Mf7A2z8YiXJ5JZ8iIWYaosKlo5ILAx4JSNSxfRgXk7zYlaxTQyBLgulsFNLTNjQ5rX90vvtHFg3XaaAdi7ldbM8ta5F387X/F9jGGOJJUWkHQYtS6NbuyYikbyQzA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=foobar.com; dmarc=pass action=none header.from=foobar.com;
 dkim=pass header.d=foobar.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foobar.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=I5YdXn+3yNsMg3xhqljwwzX6zv6F63Xu6ie8STp8QK8=;
 b=FabDg1ajpHNwCEVF1YijBQzz2xV5DXP7Y3ob/Vukr1Pd/5hQtmN4St4/0+XEdpn8HSe5xr42ECY+i2Rvc4NdZTYqvCZdbG7jwsncDTtZF5Yd0OtVDfX/is2lD7OK59p627fdRtWsr4aHYSxD9Kd4Z/FwVwym+Wjdsp9+JvFyvCY=
Received: from BLAPR19MB4324.namprd19.prod.outlook.com (2603:10b6:208:27c::10)
 by BLAPR19MB4498.namprd19.prod.outlook.com (2603:10b6:208:29a::15) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 192.168.0.2; Thu, 13 Aug
 2020 11:00:26 +0000
Received: from BLAPR19MB4324.namprd19.prod.outlook.com
 ([fe80::a0be:bf27:e570:98a]) by BLAPR19MB4324.namprd19.prod.outlook.com
 ([fe80::a0be:bf27:e570:98a%9]) with mapi id 192.168.0.3; Thu, 13 Aug 2020
 11:00:26 +0000
From: Sentinel Alerts <SentinelAlerts@foobar.com>
To: Security Team <SecurityTeam@foobar.com>,
	"alertsa52870847feac8ba1e026fb100000000@foo.bar"
	<alertsa52870847feac8ba1e026fb100000000@foo.bar>
Subject: Azure Sentinel Alert: foobar - MS-A211: Microsoft Defender ATP
 Alert
Thread-Topic: Azure Sentinel Alert: foobar - MS-A211: Microsoft Defender ATP
 Alert
Thread-Index: AQHWcWDzFpkyC1/3EU+xdVOov+Qe5A==
Importance: low
X-Priority: 5
Date: Thu, 13 Aug 2020 11:00:26 +0000
Message-ID:
 <BLAPR19MB4324FD0638D806E189DEC494BD430@BLAPR19MB4324.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-mail-application: Azure Logic Apps; User-Agent: azure-logic-apps/1.0
 (workflow 307d77cef59e4369994b6e3b87f573d2; version 08586081441835642616)
x-ms-mail-operation-type: Send
authentication-results: managedsentinel.com; dkim=none (message not signed)
 header.d=none;managedsentinel.com; dmarc=none action=none
 header.from=foobar.com;
x-originating-ip: [192.168.0.4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eb41c45e-cfc0-4fe2-2a39-08d83f7815c9
x-ms-traffictypediagnostic: BLAPR19MB4498:
x-ld-processed: 1f645c37-ab53-4475-8183-733a4df64da3,ExtAddr
x-microsoft-antispam-prvs:
 <BLAPR19MB44989C03655D4E41F012D3CDBD430@BLAPR19MB4498.namprd19.prod.outlook.com>
x-ipw-groupmember: False
x-ms-oob-tlc-oobclassifiers: OLM:534;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative;
	boundary="_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_"
MIME-Version: 1.0
X-OriginatorOrg: foobar.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR19MB4324.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eb41c45e-cfc0-4fe2-2a39-08d83f7815c9
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2020 11:00:26.5243
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 1f645c37-ab53-4475-8183-733a4df64da3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RRj8paSSspQe0tmL/jpKObKvwcKqSwsqn+zuA+JYnnWlvQK4UQ9bO+kffXu543bsZN5xcKlwqsuiaRXBf22Lqozsq8W7h7Lq6htYpdqLqgg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR19MB4498

--_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

An Azure Sentinel alert has been triggered:

Alert: MS-A211: Microsoft Defender ATP Alert
Severity: Medium
Description: This alert notifies on Microsoft Defender ATP notifications se=
nt to Azure Sentinel.
Azure Sentinel Incident number: 5883

Query results that triggered the alert:
TimeGenerated   DisplayName     AlertSeverity   Description     Details Rem=
ediationSteps        AlertLink       User    Host    AccountCustomEntity   =
  HostCustomEntity
8/13/2020 10:48:21 AM   USB and File Write Detected     Medium  Alert looks=
 for usb drives and subsequent file writes.  ["DnsDomain: capam.foocot=
ic.comHost: foo633 Type: host"," Name: foo633$ Type: account"]    [
"1. Make sure the machine is completely updated and all your software has t=
he latest patch.",
"2. Contact your incident response team. NOTE: If you don=92t have an incid=
ent response team, contact Microsoft Support for architectural remediation =
and forensic.",
"3. Install and run Microsoft=92s Malicious Software Removal Tool (see http=
s://www.microsoft.com/en-us/download/malicious-software-removal-tool-detail=
s.aspx).",
"4. Run Microsoft=92s Autoruns utility and try to identify unknown applicat=
ions that are configured to run at login (see https://technet.microsoft.com=
/en-us/sysinternals/bb963902.aspx).",
"5. Run Process Explorer and try to identify unknown running processes (see=
 https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)."
]               foo633$         foo633$


Go to Azure Portal: https://portal.azure.com

Managed Sentinel Advice: https://www.managedsentinel.com/MS-A211

--_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body>
<p>An Azure Sentinel alert has been triggered:<br>
<br>
Alert: MS-A211: Microsoft Defender ATP Alert<br>
Severity: Medium<br>
Description: This alert notifies on Microsoft Defender ATP notifications se=
nt to Azure Sentinel.<br>
Azure Sentinel Incident number: 5883<br>
<br>
Query results that triggered the alert:<br>
<table border=3D"1" cellpadding=3D"5" cellspacing=3D"1" bordercolor=3D"Blac=
k" style=3D"font-family:&quot;Segoe UI&quot;;font-size:12px;border-collapse=
:collapse;">
<tbody>
<tr bgcolor=3D"DarkGray">
<td nowrap=3D"nowrap">TimeGenerated</td>
<td nowrap=3D"nowrap">DisplayName</td>
<td nowrap=3D"nowrap">AlertSeverity</td>
<td nowrap=3D"nowrap">Description</td>
<td nowrap=3D"nowrap">Details</td>
<td nowrap=3D"nowrap">RemediationSteps</td>
<td nowrap=3D"nowrap">AlertLink</td>
<td nowrap=3D"nowrap">User</td>
<td nowrap=3D"nowrap">Host</td>
<td nowrap=3D"nowrap">AccountCustomEntity</td>
<td nowrap=3D"nowrap">HostCustomEntity</td>
</tr>
<tr>
<td nowrap=3D"nowrap">8/13/2020 10:48:21 AM</td>
<td nowrap=3D"nowrap">USB and File Write Detected</td>
<td nowrap=3D"nowrap">Medium</td>
<td nowrap=3D"nowrap">Alert looks for usb drives and subsequent file writes=
.</td>
<td nowrap=3D"nowrap">[&quot;DnsDomain: capam.foobar.comHost: foo633=
 Type: host&quot;,&quot; Name: foo633$ Type: account&quot;]</td>
<td nowrap=3D"nowrap" class=3D"foo">[<br>
&quot;1. Make sure the machine is completely updated and all your software =
has the latest patch.&quot;,<br>
&quot;2. Contact your incident response team. NOTE: If you don=92t have an =
incident response team, contact Microsoft Support for architectural remedia=
tion and forensic.&quot;,<br>
&quot;3. Install and run Microsoft=92s Malicious Software Removal Tool (see=
 https://www.microsoft.com/en-us/download/malicious-software-removal-tool-d=
etails.aspx).&quot;,<br>
&quot;4. Run Microsoft=92s Autoruns utility and try to identify unknown app=
lications that are configured to run at login (see https://technet.microsof=
t.com/en-us/sysinternals/bb963902.aspx).&quot;,<br>
&quot;5. Run Process Explorer and try to identify unknown running processes=
 (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx).&quot=
;<br>
]</td>
<td nowrap=3D"nowrap"></td>
<td nowrap=3D"nowrap">foo633$</td>
<td nowrap=3D"nowrap"></td>
<td nowrap=3D"nowrap">foo633$</td>
<td nowrap=3D"nowrap"></td>
</tr>
</tbody>
</table>
<br>
<br>
Go to Azure Portal: https://portal.azure.com<br>
<br>
Managed Sentinel Advice: https://www.managedsentinel.com/MS-A211</p>
</body>
</html>

--_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_--
	Return-Path: <SentinelAlerts@foobar.com>
	Received-SPF: pass (spfCheck: domain of foobar.com designates 192.168.0.1 as permitted sender) client-ip=192.168.0.1; envelope-from=SentinelAlerts@foobar.com; helo=mail-dm6nam10on2114.outbound.protection.outlook.com;
	Authentication-Results: amazonses.com;
	spf=pass (spfCheck: domain of foobar.com designates 192.168.0.1 as permitted sender) client-ip=192.168.0.1; envelope-from=SentinelAlerts@foobar.com; helo=mail-dm6nam10on2114.outbound.protection.outlook.com;
	dkim=pass header.i=@foobar.com;
	dmarc=pass header.from=foobar.com;
	X-SES-RECEIPT: AEFBQUFBQUFBQUFFOG93TThhdmZYL0dpV1l4dXpSblIyODRaMGdtVGU3QVF5UW9SKzc3aE9jbU5LL3dxdmJXYUNnaHZBMGtOdGNxK1kxZ2NKTHJXWGdNVGZKS1kwUGJyNlRHNjRqdjN4ZVJSUHlQRjlvb1lSN1NObzBEcEN3OHNJejdmQThZQStYbHBBK2xtWEZSSUQ5V0dwdUk2RzBJeFpjLzNjdS9hTjVJSjlpN1AraUxicnBxQUFJZ0VTTEtWZ1RzSkpiRGtNb2cyQkVnY25xOGZkZEorTzhkbXVZMFlKTnFWSGpTQTI2VnY5QW1ER2srY3I2N3NTc3F6dG5McFVPSTJ6ZU90c2NzT1BJUlA5YkR1MmVDQkV2VUdkUDRlcEZ2Mm1qUU0reFJjeWhzQ1BPS0sweVN4NFgzRndWOG96QVFRek1la2k0L2c9
	X-SES-DKIM-SIGNATURE: a=rsa-sha256; q=dns/txt; b=VDpanH/8lL7WIGp7KGQhppLBAEGzqW8B2mV4ufBHMS7hvekaIb7KUb8xxDMJj7veATaf+0JR9mDDG+Lqa2zsnMcseFmqacLhq/7JK3XKM1Za+5NLwqDB1v+AYbm93lvubjU33RrzOVCpO49DwDghxn++LIzFps8DNNIOmEXiXmc=; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1597316434; v=1; bh=jE9nfSfqyI0hT/PezYPjnxYHMIhO83PA6mH+6clU4XA=; h=From:To:Cc:Bcc:Subject:Date:Message-ID:MIME-Version:Content-Type:X-SES-RECEIPT;
	ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
	b=oMiniuen1BCC+srwcXAVFvsdH4DFVZZOfmcqWxR1Q3FwLDgb9/8EscsTrgZzBUhCy6utLd4srW50sfjAOlbnGDcYkgm8+e+FCZ5s6C8ZYf6wex2+il8Rwga0tQ6xJruGxD7ggM6z3geLoemsznnWe166Q/6CP7vBI0MzJgolktOHAYEoXHLEx/zSape/eHwO5QcWAKNnfrjZk7AOccR6BtvSt2KXz+XcAGQhWCXBvQ5XQ2llwBU/3/zKAmuvZlHGATrm8XLXlFOnR90OfLkevt7+B60wT0YXFQpv/X0OxouwPW+UEBOjrz91gkjkK6zzBoNBeAplf6/elUyrxtmkFA==
	ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
	s=arcselector9901;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=I5YdXn+3yNsMg3xhqljwwzX6zv6F63Xu6ie8STp8QK8=;
	b=a4wpd2ZN2mc9PS6sIE+mV+aDY6cLSsGJnn19DnomaT2pvAO+5LPxi07zglKFhnDwT/Ft+BDhNWKvgWxgVveEHvgUcVvKPLqBlFuQAhzqm4bkcr5qH6svUsK+1DaqMH/GocYnSt1NViVEDMImiCBg0T/wveisk9KZs0wHkhsZxYLdmqwi1vTGfspixzFGCNuLRd0+SIKt4GBkOjhJXRlBbzLs0Mf7A2z8YiXJ5JZ8iIWYaosKlo5ILAx4JSNSxfRgXk7zYlaxTQyBLgulsFNLTNjQ5rX90vvtHFg3XaaAdi7ldbM8ta5F387X/F9jGGOJJUWkHQYtS6NbuyYikbyQzA==
	ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
	smtp.mailfrom=foobar.com; dmarc=pass action=none header.from=foobar.com;
	dkim=pass header.d=foobar.com; arc=none
	DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foobar.com;
	s=selector1;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=I5YdXn+3yNsMg3xhqljwwzX6zv6F63Xu6ie8STp8QK8=;
	b=FabDg1ajpHNwCEVF1YijBQzz2xV5DXP7Y3ob/Vukr1Pd/5hQtmN4St4/0+XEdpn8HSe5xr42ECY+i2Rvc4NdZTYqvCZdbG7jwsncDTtZF5Yd0OtVDfX/is2lD7OK59p627fdRtWsr4aHYSxD9Kd4Z/FwVwym+Wjdsp9+JvFyvCY=
	Received: from BLAPR19MB4324.namprd19.prod.outlook.com (2603:10b6:208:27c::10)
	by BLAPR19MB4498.namprd19.prod.outlook.com (2603:10b6:208:29a::15) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 192.168.0.2; Thu, 13 Aug
	2020 11:00:26 +0000
	Received: from BLAPR19MB4324.namprd19.prod.outlook.com
	([fe80::a0be:bf27:e570:98a]) by BLAPR19MB4324.namprd19.prod.outlook.com
	([fe80::a0be:bf27:e570:98a%9]) with mapi id 192.168.0.3; Thu, 13 Aug 2020
	11:00:26 +0000
	From: Sentinel Alerts <SentinelAlerts@foobar.com>
	To: Security Team <SecurityTeam@foobar.com>,
	"alertsa52870847feac8ba1e026fb100000000@foo.bar"
	<alertsa52870847feac8ba1e026fb100000000@foo.bar>
	Subject: Azure Sentinel Alert: foobar - MS-A211: Microsoft Defender ATP
	Alert
	Thread-Topic: Azure Sentinel Alert: foobar - MS-A211: Microsoft Defender ATP
	Alert
	Thread-Index: AQHWcWDzFpkyC1/3EU+xdVOov+Qe5A==
	Importance: low
	X-Priority: 5
	Date: Thu, 13 Aug 2020 11:00:26 +0000
	Message-ID:
	<BLAPR19MB4324FD0638D806E189DEC494BD430@BLAPR19MB4324.namprd19.prod.outlook.com>
	Accept-Language: en-US
	Content-Language: en-US
	X-MS-Has-Attach:
	X-MS-TNEF-Correlator:
	x-ms-mail-application: Azure Logic Apps; User-Agent: azure-logic-apps/1.0
	(workflow 307d77cef59e4369994b6e3b87f573d2; version 08586081441835642616)
	x-ms-mail-operation-type: Send
	authentication-results: managedsentinel.com; dkim=none (message not signed)
	header.d=none;managedsentinel.com; dmarc=none action=none
	header.from=foobar.com;
	x-originating-ip: [192.168.0.4]
	x-ms-publictraffictype: Email
	x-ms-office365-filtering-correlation-id: eb41c45e-cfc0-4fe2-2a39-08d83f7815c9
	x-ms-traffictypediagnostic: BLAPR19MB4498:
	x-ld-processed: 1f645c37-ab53-4475-8183-733a4df64da3,ExtAddr
	x-microsoft-antispam-prvs:
	<BLAPR19MB44989C03655D4E41F012D3CDBD430@BLAPR19MB4498.namprd19.prod.outlook.com>
	x-ipw-groupmember: False
	x-ms-oob-tlc-oobclassifiers: OLM:534;
	x-ms-exchange-senderadcheck: 1
	x-microsoft-antispam: BCL:0;
	x-ms-exchange-transport-forked: True
	Content-Type: multipart/alternative;
	boundary="_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_"
	MIME-Version: 1.0
	X-OriginatorOrg: foobar.com
	X-MS-Exchange-CrossTenant-AuthAs: Internal
	X-MS-Exchange-CrossTenant-AuthSource: BLAPR19MB4324.namprd19.prod.outlook.com
	X-MS-Exchange-CrossTenant-Network-Message-Id: eb41c45e-cfc0-4fe2-2a39-08d83f7815c9
	X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2020 11:00:26.5243
	(UTC)
	X-MS-Exchange-CrossTenant-fromentityheader: Hosted
	X-MS-Exchange-CrossTenant-id: 1f645c37-ab53-4475-8183-733a4df64da3
	X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
	X-MS-Exchange-CrossTenant-userprincipalname: RRj8paSSspQe0tmL/jpKObKvwcKqSwsqn+zuA+JYnnWlvQK4UQ9bO+kffXu543bsZN5xcKlwqsuiaRXBf22Lqozsq8W7h7Lq6htYpdqLqgg=
	X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR19MB4498

	--_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_
	Content-Type: text/plain; charset="Windows-1252"
	Content-Transfer-Encoding: quoted-printable

	An Azure Sentinel alert has been triggered:

	Alert: MS-A211: Microsoft Defender ATP Alert
	Severity: Medium
	Description: This alert notifies on Microsoft Defender ATP notifications se=
	nt to Azure Sentinel.
	Azure Sentinel Incident number: 5883

	Query results that triggered the alert:
	TimeGenerated DisplayName AlertSeverity Description Details Rem=
	ediationSteps AlertLink User Host AccountCustomEntity =
	HostCustomEntity
	8/13/2020 10:48:21 AM USB and File Write Detected Medium Alert looks=
	for usb drives and subsequent file writes. ["DnsDomain: capam.foocot=
	ic.comHost: foo633 Type: host"," Name: foo633$ Type: account"] [
	"1. Make sure the machine is completely updated and all your software has t=
	he latest patch.",
	"2. Contact your incident response team. NOTE: If you don=92t have an incid=
	ent response team, contact Microsoft Support for architectural remediation =
	and forensic.",
	"3. Install and run Microsoft=92s Malicious Software Removal Tool (see http=
	s://www.microsoft.com/en-us/download/malicious-software-removal-tool-detail=
	s.aspx).",
	"4. Run Microsoft=92s Autoruns utility and try to identify unknown applicat=
	ions that are configured to run at login (see https://technet.microsoft.com=
	/en-us/sysinternals/bb963902.aspx).",
	"5. Run Process Explorer and try to identify unknown running processes (see=
	https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)."
	] foo633$ foo633$


	Go to Azure Portal: https://portal.azure.com

	Managed Sentinel Advice: https://www.managedsentinel.com/MS-A211

	--_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_
	Content-Type: text/html; charset="Windows-1252"
	Content-Transfer-Encoding: quoted-printable

	<html>
	<head>
	<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
	252">
	</head>
	<body>
	<p>An Azure Sentinel alert has been triggered:<br>
	<br>
	Alert: MS-A211: Microsoft Defender ATP Alert<br>
	Severity: Medium<br>
	Description: This alert notifies on Microsoft Defender ATP notifications se=
	nt to Azure Sentinel.<br>
	Azure Sentinel Incident number: 5883<br>
	<br>
	Query results that triggered the alert:<br>
	<table border=3D"1" cellpadding=3D"5" cellspacing=3D"1" bordercolor=3D"Blac=
	k" style=3D"font-family:"Segoe UI";font-size:12px;border-collapse=
	:collapse;">
	<tbody>
	<tr bgcolor=3D"DarkGray">
	<td nowrap=3D"nowrap">TimeGenerated</td>
	<td nowrap=3D"nowrap">DisplayName</td>
	<td nowrap=3D"nowrap">AlertSeverity</td>
	<td nowrap=3D"nowrap">Description</td>
	<td nowrap=3D"nowrap">Details</td>
	<td nowrap=3D"nowrap">RemediationSteps</td>
	<td nowrap=3D"nowrap">AlertLink</td>
	<td nowrap=3D"nowrap">User</td>
	<td nowrap=3D"nowrap">Host</td>
	<td nowrap=3D"nowrap">AccountCustomEntity</td>
	<td nowrap=3D"nowrap">HostCustomEntity</td>
	</tr>
	<tr>
	<td nowrap=3D"nowrap">8/13/2020 10:48:21 AM</td>
	<td nowrap=3D"nowrap">USB and File Write Detected</td>
	<td nowrap=3D"nowrap">Medium</td>
	<td nowrap=3D"nowrap">Alert looks for usb drives and subsequent file writes=
	.</td>
	<td nowrap=3D"nowrap">["DnsDomain: capam.foobar.comHost: foo633=
	Type: host"," Name: foo633$ Type: account"]</td>
	<td nowrap=3D"nowrap" class=3D"foo">[<br>
	"1. Make sure the machine is completely updated and all your software =
	has the latest patch.",<br>
	"2. Contact your incident response team. NOTE: If you don=92t have an =
	incident response team, contact Microsoft Support for architectural remedia=
	tion and forensic.",<br>
	"3. Install and run Microsoft=92s Malicious Software Removal Tool (see=
	https://www.microsoft.com/en-us/download/malicious-software-removal-tool-d=
	etails.aspx).",<br>
	"4. Run Microsoft=92s Autoruns utility and try to identify unknown app=
	lications that are configured to run at login (see https://technet.microsof=
	t.com/en-us/sysinternals/bb963902.aspx).",<br>
	"5. Run Process Explorer and try to identify unknown running processes=
	(see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx).&quot=
	;<br>
	]</td>
	<td nowrap=3D"nowrap"></td>
	<td nowrap=3D"nowrap">foo633$</td>
	<td nowrap=3D"nowrap"></td>
	<td nowrap=3D"nowrap">foo633$</td>
	<td nowrap=3D"nowrap"></td>
	</tr>
	</tbody>
	</table>
	<br>
	<br>
	Go to Azure Portal: https://portal.azure.com<br>
	<br>
	Managed Sentinel Advice: https://www.managedsentinel.com/MS-A211</p>
	</body>
	</html>

	--_000_BLAPR19MB4324FD0638D806E189DEC494BD430BLAPR19MB4324namp_--