{
  "_comment": "Security example from https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-activity-log-schema",
  "channels": "Operation",
  "correlationId": "965d6c6a-a790-4a7e-8e9a-41771b3fbc38",
  "description": "Suspicious double extension file executed. Machine logs indicate an execution of a process with a suspicious double extension.\r\nThis extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.",
  "eventDataId": "965d6c6a-a790-4a7e-8e9a-41771b3fbc38",
  "eventName": {
    "value": "Suspicious double extension file executed",
    "localizedValue": "Suspicious double extension file executed"
  },
  "category": {
    "value": "Security",
    "localizedValue": "Security"
  },
  "eventTimestamp": "2017-10-18T06:02:18.6179339Z",
  "id": "/subscriptions/d4742bb8-c279-4903-9653-9858b17d0c2e/providers/Microsoft.Security/locations/centralus/alerts/965d6c6a-a790-4a7e-8e9a-41771b3fbc38/events/965d6c6a-a790-4a7e-8e9a-41771b3fbc38/ticks/636439033386179339",
  "level": "Informational",
  "operationId": "965d6c6a-a790-4a7e-8e9a-41771b3fbc38",
  "operationName": {
    "value": "Microsoft.Security/locations/alerts/activate/action",
    "localizedValue": "Microsoft.Security/locations/alerts/activate/action"
  },
  "resourceGroupName": "myResourceGroup",
  "resourceProviderName": {
    "value": "Microsoft.Security",
    "localizedValue": "Microsoft.Security"
  },
  "resourceType": {
    "value": "Microsoft.Security/locations/alerts",
    "localizedValue": "Microsoft.Security/locations/alerts"
  },
  "resourceId": "/subscriptions/d4742bb8-c279-4903-9653-9858b17d0c2e/providers/Microsoft.Security/locations/centralus/alerts/2518939942613820660_a48f8653-3fc6-4166-9f19-914f030a13d3",
  "status": {
    "value": "Active",
    "localizedValue": "Active"
  },
  "subStatus": {
    "value": null
  },
  "submissionTimestamp": "2017-10-18T06:02:52.2176969Z",
  "subscriptionId": "d4742bb8-c279-4903-9653-9858b17d0c2e",
  "properties": {
    "accountLogonId": "0x2r4",
    "commandLine": "c:\\mydirectory\\doubleetension.pdf.exe",
    "domainName": "hpc",
    "parentProcess": "unknown",
    "parentProcess id": "0",
    "processId": "6988",
    "processName": "c:\\mydirectory\\doubleetension.pdf.exe",
    "userName": "myUser",
    "UserSID": "S-3-2-12",
    "ActionTaken": "Detected",
    "Severity": "High"
  },
  "relatedEvents": []
}