Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
<!--
Actual activity-log entry, redacted (...) and anonymized.
category = "Security"
level = "Informational"
The threatName and threatID values under properties match this:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FConteban.A!ml&threatid=2147735508
-->
{
"channels": "Operation",
"correlationId": "...",
"description": "Antimalware Action Taken. Microsoft Antimalware has taken an action to protect this machine from malware or other potentially unwanted software.",
"eventDataId": "...",
"eventName": {
"value": "Antimalware Action Taken",
"localizedValue": "Antimalware Action Taken"
},
"category": {
"value": "Security",
"localizedValue": "Security"
},
"eventTimestamp": "2021-31-01T23:59:59Z",
"id": "/subscriptions/.../resourceGroups/myrg/providers/Microsoft.Security/locations/eastus/alerts/.../events/.../ticks/...",
"level": "Informational",
"operationId": "...",
"operationName": {
"value": "Microsoft.Security/locations/alerts/activate/action",
"localizedValue": "Activate Alert"
},
"resourceGroupName": "myrg",
"resourceProviderName": {
"value": "Microsoft.Security",
"localizedValue": "Microsoft.Security"
},
"resourceType": {
"value": "Microsoft.Security/locations/alerts",
"localizedValue": "Microsoft.Security/locations/alerts"
},
"resourceId": "/subscriptions/.../resourceGroups/myrg/providers/Microsoft.Security/locations/eastus/alerts/...",
"status": {
"value": "Active",
"localizedValue": "Active"
},
"subStatus": {
"value": "",
"localizedValue": ""
},
"submissionTimestamp": "2021-11-19T23:46:41.1573581Z",
"subscriptionId": "...",
"tenantId": "",
"properties": {
"actionTaken": "Blocked",
"threatStatus": "Quarantined",
"protectionType": "Windows Defender",
"threatName": "Trojan:Script/Conteban.A!ml",
"category": "Trojan",
"threatID": "2147735508",
"filePath": "c:\\users\\myname\\Downloads\\BadFile.zip",
"resourceType": "Virtual Machine",
"severity": "Low",
"intent": "[\"Unknown\"]",
"compromisedEntity": "myvm.example.org",
"remediationSteps": "[\"No user action is necessary\"]",
"attackedResourceType": "Virtual Machine"
},
"relatedEvents": []
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment