Stephen,
I removed most of the environmental variables from the alert since I don’t think they are relevant.
All info has been replaced with fake username, hostname, and domain name.
"hostname": "Laptop123",
"dns_domain": "mydomain.local",
"os_type": "WINDOWS",
"r7_hostid": "11eedce9e4a45170...",
"process": {
"start_time": "2022-06-06T16:14:47.986Z",
"name": "rundll32.exe",
"pid": 1656,
"r7_id": "e66055d1f610d3819cf332cde721b5220bbb125848db6...",
"exe_path": "C:\\Windows\\System32\\rundll32.exe",
"cmd_line": "\"C:\\WINDOWS\\System32\\RunDll32.exe\" C:\\WINDOWS\\system32\\hotplug.dll,HotPlugSafeRemovalDriveNotification ESD-USB (D:)",
"username": "MYDOMAIN\\john.doe",
"session": 1,
"exe_file": {
"owner": "NT SERVICE\\TrustedInstaller",
"orig_filename": "RUNDLL32.EXE",
"description": "Windows host process (Rundll32)",
"product_name": "Microsoft® Windows® Operating System",
"version": "10.0.19041.746 (WinBuild.160101.0800)",
"created": "2021-11-16T18:02:21.994Z",
"last_modified": "2021-11-16T18:02:21.994Z",
"size": 71680,
"internal_name": "rundll",
"hashes": {
"md5": "ef3179d498793bf4234f708d3be28633",
"sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa",
"sha1": "dd399ae46303343f9f0da189aee11c67bd868222"
},
"signing_status": "UNSIGNED"
},
"hash_reputation": {
"reputation": "Known",
"threat_level": "None",
"reliability": "Very High",
"first_analyzed_time": "2021-01-13T05:51:18.000Z",
"engine_count": 25,
"engine_match": 0,
"engine_percent": 0
}
},
"parent_process": {
"start_time": "2022-06-06T16:13:45.084Z",
"name": "EXCEL.EXE",
"pid": 13348,
"ppid": 13400,
"r7_id": "0f28ff42f8e602acf860d81a6629c64e9b74a29b257...",
"exe_path": "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE",
"cmd_line": "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE\" \"C:\\Users\\john.doe\\Documents\\File.csv\"",
"username": "MEC-1\\john.doe",
"session": 1,
"exe_file": {
"owner": "BUILTIN\\Administrators",
"orig_filename": "Excel.exe",
"description": "Microsoft Excel",
"product_name": "Microsoft Office",
"version": "16.0.14931.20132",
"created": "2022-03-17T09:58:24.033Z",
"last_modified": "2022-03-17T09:58:24.627Z",
"size": 65340776,
"internal_name": "Excel",
"hashes": {
"md5": "e52aaa0aca4ccc43af2fc0a4c3d75689",
"sha256": "cfa43a5139266a18b7f7be17f0cc4caaca4d785b033feb75b230cdb7155bdf20",
"sha1": "78fb6217adbac62bb6c9572e6303751f22e7a864"
},
"signing_status": "SIGNED_VALID",
"signing_chain": [
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2010",
"thumbprint": "5A257D333718C4B468A5DBC6643348AF667AEE3D"
},
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2010",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"thumbprint": "8BFE3107712B3C886B1C96AAEC89984914DC9B6B"
},
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"thumbprint": "3B1EFD3A66EA28B16697394703A72CA340A05BD5"
}
],
"countersigning_chain": [
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Ireland Operations Limited, OU=Thales TSS ESN:86DF-4BBC-9335, CN=Microsoft Time-Stamp Service",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time-Stamp PCA 2010",
"thumbprint": "34A2F214EBABF43CA29A70786CAE64B34426AFD5"
},
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time-Stamp PCA 2010",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"thumbprint": "36056A5662DCADECF82CC14C8B80EC5E0BCC59A6"
},
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"thumbprint": "3B1EFD3A66EA28B16697394703A72CA340A05BD5"
}
]
}
},
"env_vars": [
{
"var": "ALLUSERSPROFILE",
"val": "C:\\ProgramData"
},
{
"var": "APPDATA",
"val": "C:\\Users\\john.doe\\AppData\\Roaming"
},
{
"var": "FPS_BROWSER_APP_PROFILE_STRING",
"val": "Internet Explorer"
},
{
"var": "FPS_BROWSER_USER_PROFILE_STRING",
"val": "Default"
},
...
},
{
"var": "SESSIONNAME",
"val": "Console"
},
...