Microsoft Defender for Endpoint
Microsoft Defender for Endpoint Advanced Hunting telemetry — process, network, file, registry, logon, image load, and device events plus EDR alerts, as streamed to Microsoft Sentinel.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/security-defender-endpoint/generator.yml \
--id security-defender-endpoint \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| process-events | Process Creation (DeviceProcessEvents) | 33% | endpoint |
| network-events | Network Connections (DeviceNetworkEvents) | 28% | network |
| file-events | File Operations (DeviceFileEvents) | 22% | endpoint |
| registry-events | Registry Modifications (DeviceRegistryEvents) | 9% | endpoint |
| image-load-events | DLL/Image Loads (DeviceImageLoadEvents) | 4% | endpoint |
| logon-events | Logon Events (DeviceLogonEvents) | 2% | authentication |
| device-events | Device Events (AV, USB, Firewall) | 1.5% | endpoint |
| alert-info | Security Alerts (AlertInfo) | 0.5% | intrusion_detection |
Realism Features
- Integrity-level-based account selection — System, High, and Medium integrity processes map to SYSTEM, admin, and standard user accounts with matching SIDs and token elevation types
- Monotonic per-device ReportId counter using shared state ensures sequential, non-duplicated report IDs per endpoint
- Realistic parent-child process trees drawn from a pool of 25+ Windows process chains (e.g., services.exe → svchost.exe, explorer.exe → chrome.exe)
- Full PE metadata on every process — SHA1/SHA256/MD5 hashes, version info, signer type, and signature status
- MITRE ATT&CK-mapped alert profiles covering credential access, lateral movement, execution, and persistence techniques
Sample Output
{
"Tenant": "Contoso",
"category": "AdvancedHunting-DeviceProcessEvents",
"operationName": "Publish",
"properties": {
"Timestamp": "2026-03-06T16:26:47.000000Z",
"DeviceName": "wkstn-nyc001.contoso.com",
"ActionType": "ProcessCreated",
"FileName": "chrome.exe",
"FolderPath": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"ProcessId": 10470,
"ProcessCommandLine": "\"C:\\Program Files\\...\\chrome.exe\" --type=utility",
"ProcessIntegrityLevel": "Medium",
"AccountDomain": "CONTOSO",
"AccountName": "svc-web",
"InitiatingProcessFileName": "sc.exe",
"InitiatingProcessParentFileName": "cmd.exe",
"ReportId": 1000,
"MachineGroup": "ProductionWorkstations"
},
"tenantId": "3adb963c-8e61-48e8-a06d-6dbb0dacea39",
"time": "2026-03-06T16:31:19.000Z"
}Parameters
| Parameter | Default | Description |
|---|---|---|
| tenant | Contoso | Tenant display name in event envelope |
| domain | CONTOSO | NetBIOS domain name |
| fqdn_suffix | contoso.com | DNS suffix for device FQDNs |
| domain_sid | S-1-5-21-... | Domain SID prefix for user SIDs |
| tenant_id | 3adb963c-... | Azure AD tenant ID (GUID) |
Related Generators
Suricata IDS/IPS
Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.
Palo Alto Threat
Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.
Palo Alto URL Filtering
Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.