Forum Discussion
Need information on generating sample events for Threat Intelligence
Hi community,
I am working on exploring MS Threat Intelligence and its features. But I am not able to generate sample data for this product, nor able to view the Threat Intelligence logs using Microsoft Management API following the schema - https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype
I tried sending some mails from external email account to my organisation's test user containing EICAR files, and also tried with some safe but malicious test URLs. But still unable to get data inside Threat Intelligence.
Can someone please help me here for generating events and viewing the content using Management APIs?
2 Replies
hi aslin Here are some of supported approaches that usually work ( not tested – pl try carefully):
a.Use Attack/Threat Simulations (Defender for Office 365 Plan 2)
- In the M365 Security portal → Attack Simulation Training, you can safely simulate phishing, credential harvest, and malware attachment attacks.
- These generate events that appear in Threat Explorer/Advanced Hunting, and you can correlate them with TI.
b.Leverage Defender for Endpoint Test Alerts
Run these on a test machine with Defender for Endpoint onboarded:
# Simulates a suspicious PowerShell command
Add-MpPreference -ThreatIDDefaultAction_Ids 2147778082 -ThreatIDDefaultAction_Actions 6
Set-MpPreference -DisableRealtimeMonitoring $true
Or the official test commands:
powershell -ExecutionPolicy Bypass -File .\Invoke-MpDetectionTest.ps1
Ref: Microsoft Defender Test Alerts
c.Query via Advanced Hunting
Instead of the Office 365 Management API, try:
- Microsoft 365 Defender Advanced Hunting API
Endpoint: https://api.security.microsoft.com/api/advancedhunting/run
Example KQL:
- EmailEvents
- | where Timestamp > ago(7d)
- | where ThreatTypes != ""
- This is where TI indicators (malware families, campaigns, malicious URLs) appear
thanks aslin , pl do let me know the outcome :-)
