How to generate sample events for Microsoft Defender Threat Intelligence?

Question

How to generate sample events for Microsoft Defender Threat Intelligence?

Swarada Jalukar 0

Hi team,

I am working on exploring about MS Threat Intelligence. But I am not aware how to generate test data for this product?

I am already on Defender Plan, which supports threat intelligence, but wish to explore about the Threat Intelligence logs using Microsoft Management API following the schema - https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype

Can someone help me in knowing how to generate some sample events for this service and how they get collected?

1 answer

Your answer

Answer 1

Jayden-P 6,210 Microsoft External Staff Moderator

Hi @Swarada Jalukar

Thank you for posting your question in the Microsoft Q&A forum.

To generate sample events for Threat Intelligence in Microsoft Defender for Office 365, you can simulate detections in a controlled manner. These simulations trigger the protection mechanisms, resulting in logs that appear as Threat Intelligence records.

Note: Always conduct testing in a non-production environment or with test accounts to avoid disrupting real users.

Two primary methods to generate events: phishing simulations and malware testing. These will produce logs viewable in the Microsoft Defender portal.

Simulate Phishing Events for AuditLogRecordType 28 Phish or 41 Safe Links Use the built-in Attack simulation training feature in the Microsoft Defender portal. This sends realistic phishing emails to targeted users, triggering detections and logging user interactions.
Simulate Malware Events for AuditLogRecordType 28 Malware Send an email with the EICAR test file attached. EICAR is a harmless string recognized by antivirus engines as a test "virus," allowing safe testing without real malware. Defender for Office 365 will detect, quarantine, and log it.

To stimulate an attack, please follow the steps in this article:

Simulate a phishing attack with Attack simulation training - Microsoft Defender for Office 365 | Microsoft Learn

You can check events in the Defender portal's Threat Explorer (Email & collaboration > Explorer) for real-time views of phish/malware data.

I hope this information helps.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

User's image

Swarada Jalukar 0 Reputation points

2025-08-26T08:56:09.0133333+00:00

Hey @Jayden-P ,

Thanks for the response.

I have tried generating Attack simulation events, but still I cannot see any events under this API(Audit.general content) nor in the UI under Email and Collaboration Explorer, although Attack simulation is in Active state.

I am actually expecting events for below Workloads:

"ThreatIntelligence","ThreatIntelligenceUrl","ThreatIntelligenceAtpContent","ThreatFinder","MSTIC"
Ref: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype

Can you help me with the same?
Jayden-P 6,210 Reputation points Microsoft External Staff Moderator

2025-08-26T11:54:10.05+00:00
Hi @Swarada Jalukar

I'm so sorry for the confusion.

Attack simulation event logs will appear in Email & collaboration > Attack simulation training > Simulations tab.

Moreover, attack simulation doesn't trigger Threat Intelligence. (Again, I'm sorry for the confusion). You need to create a real situation to test it.

First, ensure audit logging is enabled in Purview.

For Malware:

From an external email account, send an email to a test user in your organization with the EICAR string as an attachment.

Defender should detect and quarantine it. 3

Check in Explorer > Malware tab.

For Phish or URL click:

From an external email account, send an email with a safe but malicious test URL to trigger Safe Links.

Have the test user click it; Safe Links should scan/block if configured.

View in Explorer > Phish or URL clicks tabs.

To use Microsoft Management API, my suggestion is reaching out to Microsoft Defender Threat Intelligence | Microsoft Community Hub

This forum has dedicated moderator could assist you more effectively.

I apologize for re-directing you to another platform, I know this is very inconvenience for you. This is beyond my knowledge; you can receive a more detailed support there.

Thanks for your understanding.

If you think our discussion is helpful, you can consider marking this thread as accepted answer.
Jayden-P 6,210 Reputation points Microsoft External Staff Moderator

2025-08-28T06:52:15.6433333+00:00

Hi @Swarada Jalukar

Is there any update from you?

Are you able to view the logs?
Swarada Jalukar 0 Reputation points

2025-08-28T07:46:26.4366667+00:00

Hey @Jayden-P ,

No, I am unable to see the logs yet. I tried to generate the logs, by methods you suggested. Hence, I have posted my query on the Defender Tech community - https://techcommunity.microsoft.com/discussions/microsoftdefenderthreatintelligence/need-information-on-generating-sample-events-for-threat-intelligence/4448904
Jayden-P 6,210 Reputation points Microsoft External Staff Moderator

2025-08-28T14:27:18.14+00:00

Hi @Swarada Jalukar

I saw that your question has been approved.

Please be patient and there will be dedicated moderator there to assist you.If you think our discussion is helpful, you can consider marking this thread as accepted answer.

Warm thanks.
Swarada Jalukar 0 Reputation points

2025-08-29T05:42:42.27+00:00

Sure @Jayden-P . Thanks a lot for your help!
Jayden-P 6,210 Reputation points Microsoft External Staff Moderator

2025-08-29T06:00:22.7633333+00:00

Hi @Swarada Jalukar

It was my pleasure to partially help you.

Hope you have a good day.

Share via

How to generate sample events for Microsoft Defender Threat Intelligence?

1 answer

Your answer