The XDR Story Parser helps you to parse attack stories from Microsoft Defender XDR and further work with them outside of the XDR portal.
XDR alert stories are a special JSON format that Microsofts uses in the Defender XDR portal to display a process tree and the alert timeline like this.
Note
This code contains large portions of LLM generated code. Use at your own risk and don't blame me too hard.
- Open the incident in the Defender XDR portal
- Open the developer tools in your browser
- Switch to the network tab
- Add a filter for the word story or timeline
- Select one of the alerts you expect to be from Defender for Endpoint
- If you see the story element in the network tab of the Developer Tools fo to the Preview tab
- Right click in the top and select Copy object
- Save the content as
jsonorjsoncon your hard drive
Open the URL: https://immunit.github.io/XDRStoryParser/ THis url has been configured as a github page in this repository setting to be renderded as a website by github. See Settings > Pages
By default the JSON file contains sensitive information like user-, computer-, and domainnames. You can use the anonymize feature to replace all of the occurrences with the word REDACTED. This makes safer to share those JSON files to other people or store them for later use.
Certain well known SIDs and Usernames are never redacted, as they are universal and not environment specific.
You can download the redacted version of the JSON for later use.
Warning
IP addresses are currently not part of the redacted data
Caution
While I tried to test a lot of alerts, there might be edge cases were the data is not redacted. Use at you own risk and validate the results.
If you don't need all the information of the process tree, but want to focus only a particular part you can easily zoom in and hide the rest.
Working with segmented PowerShell scripts in the original view can be a pain. XDR Story Parser let's you easily extract all PowerShell scripts from the alert story. The data will include comments with date, time and the user executing the script.
Tip
The extract PowerShell scripts function honors the current zoom setting
Similar to PowerShell scripts you can also export command lines for use outside of the alert story.
Tip
The extract PowerShell scripts function honors the current zoom setting
Extract the currently visible process tree as text only representation, it will still contain icons (emoji) for the different type of nodes.
Tip
The extract PowerShell scripts function honors the current zoom setting
If you click Screenshot the complete process tree will be screenshotted and downloaded. This makes it super easy to share certain parts of the alert story as you want to present them.
Tip
The screenshot function honors the current zoom setting
A big thank you to Christopher Hackenschmidt, for showing me the story API endpoint in the first place. Without his inspiration I would have not built this tool.
| Version | Release date | Release notes |
|---|---|---|
| 1.0.3 | 2025-08-24 | Add new theme "Timeline" and improve overall css |
| 1.0.2 | 2025-08-24 | Add new "Extract process tree as text" feature |
| 1.0.1 | 2025-08-24 | Improved CSS style to better use the available space and don't mess up the process tree. |
| 1.0.0 | 2025-08-23 | Initial release |