Collect Microsoft Defender for Endpoint logs

Supported in:

This document describes how you can collect Microsoft Defender for Endpoint logs by setting up a Google Security Operations feed and how log fields map to Google SecOps unified data model (UDM) fields.

For more information, see Data ingestion to Google SecOps.

A typical deployment consists of Microsoft Defender for Endpoint and the Google SecOps feed configured to send logs to Google SecOps. Your deployment might be different from the typical deployment that is described in this document. The deployment contains the following components:

  • Microsoft Defender for Endpoint: the platform that collects logs.

  • Azure Storage: the platform that stores logs.

  • Google SecOps feed: the Google SecOps feed that fetches logs from Microsoft Defender for Endpoint and writes logs to Google SecOps.

  • Google SecOps: the platform that retains and analyzes the logs from Microsoft Defender for Endpoint.

An ingestion label identifies the parser that normalizes raw log data to structured UDM format. The information in this document applies to the parser with the MICROSOFT_DEFENDER_ENDPOINT ingestion label.

Before you begin

Set up Microsoft Defender for Endpoint

  1. Sign in to security.microsoft.com as a global administrator or security administrator.
  2. In the left pane, click Settings.
  3. Select the Microsoft Defender XDR tab.
  4. Select Streaming API from the general section and click Add.
  5. Select Forward events to Azure Storage.
  6. Navigate to the storage account of your choice.
  7. Select Overview > JSON View and enter the Resource ID.
  8. After you enter the resource ID, select all the required data types.
  9. Click Save.

Configure a feed in Google SecOps to ingest Microsoft Defender for Endpoint logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, MS Defender Logs).
  4. Select Microsoft Azure Blob Storage as the Source Type.
  5. Select Microsoft Defender for Endpoint as the Log type.
  6. Click Next
  7. Configure the following input parameters:
    • Azure URI: the URI pointing to an Azure Blob Storage blob or container.
    • URI is a: the type of object indicated by the URI.
    • Source deletion option: whether to delete files or directories after transferring.
    • Select Shared key or SAS token.
    • Key/Token: the shared key or SAS token to access Azure resources.
  8. Click Next and then Submit.

If you encounter issues when you ingest Microsoft Defender for Endpoint logs, contact Google SecOps support.

Supported Microsoft Defender for Endpoint log types

The Microsoft Defender for Endpoint parser supports the following tables:

  • AlertEvidence
  • AlertInfo
  • DeviceAlertEvents
  • DeviceEvents
  • DeviceFileCertificateInfo
  • DeviceFileEvents
  • DeviceIdentityLogonEvents
  • DeviceImageLoadEvents
  • DeviceInfo
  • DeviceLogonEvents
  • DeviceNetworkEvents
  • DeviceNetworkInfo
  • DeviceProcessEvents
  • DeviceRegistryEvents
  • DeviceTvmInfoGathering
  • DeviceTvmInfoGatheringKB
  • DeviceTvmSecureConfigurationAssessment
  • DeviceTvmSecureConfigurationAssessmentKB
  • DeviceTvmSoftwareEvidenceBeta
  • DeviceTvmSoftwareInventory
  • DeviceTvmSoftwareVulnerabilities
  • DeviceTvmSoftwareVulnerabilitiesKB
  • EmailAttachmentInfo
  • EmailEvents
  • EmailPostDeliveryEvents
  • EmailUrlInfo
  • IdentityInfo

Field mapping reference

This section explains how the Google Security Operations parser maps Microsoft Defender for Endpoint fields to Google Security Operations UDM fields.

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Event Model

The following table lists the common log fields for the MICROSOFT_DEFENDER_ENDPOINT log type and their corresponding UDM fields:

Common log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Microsoft Defender for Endpoint.
metadata.vendor_name The metadata.vendor_name UDM field is set to Microsoft.
category metadata.product_event_type
operationName additional.fields[operation_name]
Tenant observer.resource_ancestors.name
tenantId observer.resource_ancestors.product_object_id
time metadata.collected_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Entity Model

The following table lists the common log fields for the MICROSOFT_DEFENDER_ENDPOINT log type and their corresponding UDM fields:

Common log field UDM mapping Logic
metadata.vendor_name The metadata.vendor_name UDM field is set to Microsoft.
metadata.product_name The metadata.product_name UDM field is set to Microsoft Defender for Endpoint.
relations.entity_type The relations.entity_type UDM field is set to RESOURCE.
relations.relationship The relations.relationship UDM field is set to MEMBER.
relations.direction The relations.direction UDM field is set to UNIDIRECTIONAL.
category metadata.description
operationName additional.fields[operation_name]
Tenant relations.entity.resource.name
tenantId relations.entity.resource.product_object_id
time metadata.collected_timestamp

Field mapping reference: DeviceEvents Event Identifier to Event Type

The following table lists the DeviceEvents log action types and their corresponding UDM event types.

Event Identifier Event Type
AccountCheckedForBlankPassword SCAN_UNCATEGORIZED
AntivirusDefinitionsUpdated SCAN_HOST
AntivirusDefinitionsUpdateFailed SCAN_HOST
AntivirusDetection SCAN_HOST
AntivirusDetectionActionType SCAN_HOST
AntivirusEmergencyUpdatesInstalled SCAN_HOST
AntivirusError SCAN_HOST
AntivirusMalwareActionFailed SCAN_HOST
AntivirusMalwareBlocked SCAN_HOST
AntivirusReport SCAN_HOST
AntivirusScanCancelled SCAN_HOST
AntivirusScanCompleted SCAN_HOST
AntivirusScanFailed SCAN_HOST
AntivirusTroubleshootModeEvent SCAN_HOST
AppControlAppInstallationAudited SCAN_HOST
AppControlAppInstallationBlocked SCAN_HOST
AppControlCIScriptAudited SCAN_HOST
AppControlCIScriptBlocked SCAN_HOST
AppControlCodeIntegrityDriverRevoked SCAN_HOST
AppControlCodeIntegrityImageAudited SCAN_HOST
AppControlCodeIntegrityImageRevoked SCAN_HOST
AppControlCodeIntegrityOriginAllowed SCAN_HOST
AppControlCodeIntegrityOriginAudited SCAN_HOST
AppControlCodeIntegrityOriginBlocked SCAN_HOST
AppControlCodeIntegrityPolicyAudited SCAN_HOST
AppControlCodeIntegrityPolicyBlocked SCAN_HOST
AppControlCodeIntegrityPolicyLoaded SCAN_HOST
AppControlCodeIntegritySigningInformation SCAN_HOST
AppControlExecutableAudited SCAN_HOST
AppControlExecutableBlocked SCAN_HOST
AppControlPackagedAppAudited SCAN_HOST
AppControlPackagedAppBlocked SCAN_HOST
AppControlPolicyApplied SCAN_HOST
AppControlScriptAudited SCAN_HOST
AppControlScriptBlocked SCAN_HOST
AppGuardBrowseToUrl SCAN_HOST
AppGuardCreateContainer SCAN_HOST
AppGuardLaunchedWithUrl SCAN_HOST
AppGuardResumeContainer SCAN_HOST
AppGuardStopContainer SCAN_HOST
AppGuardSuspendContainer SCAN_HOST
AppLockerBlockExecutable PROCESS_UNCATEGORIZED
AppLockerBlockPackagedApp STATUS_UPDATE
AppLockerBlockPackagedAppInstallation STATUS_UPDATE
AppLockerBlockScript STATUS_UPDATE
AsrAdobeReaderChildProcessAudited SCAN_HOST
AsrAdobeReaderChildProcessBlocked SCAN_HOST
AsrExecutableEmailContentAudited SCAN_HOST
AsrExecutableEmailContentBlocked SCAN_HOST
AsrExecutableOfficeContentAudited SCAN_HOST
AsrExecutableOfficeContentBlocked SCAN_HOST
AsrLsassCredentialTheftAudited SCAN_HOST
AsrLsassCredentialTheftBlocked SCAN_HOST
AsrObfuscatedScriptAudited SCAN_HOST
AsrObfuscatedScriptBlocked SCAN_HOST
AsrOfficeChildProcessAudited SCAN_HOST
AsrOfficeChildProcessBlocked SCAN_HOST
AsrOfficeCommAppChildProcessAudited SCAN_HOST
AsrOfficeCommAppChildProcessBlocked SCAN_HOST
AsrOfficeMacroWin32ApiCallsAudited SCAN_HOST
AsrOfficeMacroWin32ApiCallsBlocked SCAN_HOST
AsrOfficeProcessInjectionAudited SCAN_HOST
AsrOfficeProcessInjectionBlocked SCAN_HOST
AsrPersistenceThroughWmiAudited SCAN_HOST
AsrPersistenceThroughWmiBlocked SCAN_HOST
AsrPsexecWmiChildProcessAudited SCAN_HOST
AsrPsexecWmiChildProcessBlocked SCAN_HOST
AsrRansomwareAudited SCAN_HOST
AsrRansomwareBlocked SCAN_HOST
AsrScriptExecutableDownloadAudited SCAN_HOST
AsrScriptExecutableDownloadBlocked SCAN_HOST
AsrUntrustedExecutableAudited SCAN_HOST
AsrUntrustedExecutableBlocked SCAN_HOST
AsrUntrustedUsbProcessAudited SCAN_HOST
AsrUntrustedUsbProcessBlocked SCAN_HOST
AsrVulnerableSignedDriverAudited SCAN_HOST
AsrVulnerableSignedDriverBlocked SCAN_HOST
AuditPolicyModification SERVICE_MODIFICATION
BitLockerAuditCompleted SERVICE_UNSPECIFIED
BluetoothPolicyTriggered STATUS_UPDATE
BrowserLaunchedToOpenUrl NETWORK_UNCATEGORIZED
ClrUnbackedModuleLoaded PROCESS_MODULE_LOAD
ControlFlowGuardViolation STATUS_UPDATE
ControlledFolderAccessViolationAudited SCAN_FILE
ControlledFolderAccessViolationBlocked SCAN_FILE
CreateRemoteThreadApiCall PROCESS_UNCATEGORIZED
CredentialsBackup SERVICE_START
DeviceBootAttestationInfo STATUS_UPDATE
DirectoryServiceObjectCreated SERVICE_MODIFICATION
DirectoryServiceObjectModified SERVICE_MODIFICATION
DlpPocPrintJob FILE_UNCATEGORIZED
DnsQueryRequest NETWORK_DNS
DnsQueryResponse NETWORK_DNS
DpapiAccessed GENERIC_EVENT
DriverLoad PROCESS_MODULE_LOAD
ExploitGuardAcgAudited SCAN_HOST
ExploitGuardAcgEnforced SCAN_HOST
ExploitGuardChildProcessAudited SCAN_HOST
ExploitGuardChildProcessBlocked SCAN_HOST
ExploitGuardEafViolationAudited SCAN_HOST
ExploitGuardEafViolationBlocked SCAN_HOST
ExploitGuardIafViolationAudited SCAN_HOST
ExploitGuardIafViolationBlocked SCAN_HOST
ExploitGuardLowIntegrityImageAudited SCAN_HOST
ExploitGuardLowIntegrityImageBlocked SCAN_HOST
ExploitGuardNetworkProtectionAudited SCAN_HOST
ExploitGuardNetworkProtectionBlocked SCAN_HOST
ExploitGuardNonMicrosoftSignedAudited SCAN_HOST
ExploitGuardNonMicrosoftSignedBlocked SCAN_HOST
ExploitGuardRopExploitAudited SCAN_HOST
ExploitGuardRopExploitBlocked SCAN_HOST
ExploitGuardSharedBinaryAudited SCAN_HOST
ExploitGuardSharedBinaryBlocked SCAN_HOST
ExploitGuardWin32SystemCallAudited SCAN_HOST
ExploitGuardWin32SystemCallBlocked SCAN_HOST
FileTimestampModificationEvent FILE_MODIFICATION
FirewallInboundConnectionBlocked NETWORK_CONNECTION
FirewallInboundConnectionToAppBlocked NETWORK_CONNECTION
FirewallOutboundConnectionBlocked NETWORK_CONNECTION
FirewallServiceStopped SERVICE_STOP
GetAsyncKeyStateApiCall STATUS_UPDATE
GetClipboardData STATUS_UPDATE
LdapSearch STATUS_UPDATE
LogonRightsSettingEnabled USER_CHANGE_PERMISSIONS
MemoryRemoteProtect PROCESS_UNCATEGORIZED
NamedPipeEvent PROCESS_UNCATEGORIZED
NetworkProtectionUserBypassEvent NETWORK_UNCATEGORIZED
NetworkShareObjectAccessChecked NETWORK_UNCATEGORIZED
NetworkShareObjectAdded NETWORK_UNCATEGORIZED
NetworkShareObjectDeleted NETWORK_UNCATEGORIZED
NetworkShareObjectModified NETWORK_UNCATEGORIZED
NtAllocateVirtualMemoryApiCall PROCESS_UNCATEGORIZED
NtAllocateVirtualMemoryRemoteApiCall PROCESS_UNCATEGORIZED
NtMapViewOfSectionRemoteApiCall PROCESS_UNCATEGORIZED
NtProtectVirtualMemoryApiCall PROCESS_UNCATEGORIZED
OpenProcessApiCall PROCESS_OPEN
OtherAlertRelatedActivity STATUS_UPDATE
PasswordChangeAttempt USER_CHANGE_PASSWORD
PlistPropertyModified FILE_MODIFICATION
PnpDeviceAllowed DEVICE_CONFIG_UPDATE
PnpDeviceBlocked STATUS_UPDATE
PnpDeviceConnected STATUS_UPDATE
PowerShellCommand PROCESS_LAUNCH
PrintJobBlocked STATUS_UPDATE
ProcessCreatedUsingWmiQuery PROCESS_LAUNCH
ProcessPrimaryTokenModified PROCESS_UNCATEGORIZED
PTraceDetected PROCESS_UNCATEGORIZED
QueueUserApcRemoteApiCall PROCESS_LAUNCH
ReadProcessMemoryApiCall PROCESS_UNCATEGORIZED
RemoteDesktopConnection NETWORK_CONNECTION
RemoteWmiOperation NETWORK_CONNECTION
RemovableStorageFileEvent FILE_UNCATEGORIZED
RemovableStoragePolicyTriggered STATUS_UPDATE
SafeDocFileScan SCAN_FILE
ScheduledTaskCreated SCHEDULED_TASK_CREATION
ScheduledTaskDeleted SCHEDULED_TASK_DELETION
ScheduledTaskDisabled SCHEDULED_TASK_DISABLE
ScheduledTaskEnabled SCHEDULED_TASK_ENABLE
ScheduledTaskUpdated SCHEDULED_TASK_MODIFICATION
ScreenshotTaken GENERIC_EVENT
ScriptContent PROCESS_LAUNCH
SecurityGroupCreated GROUP_CREATION
SecurityGroupDeleted GROUP_DELETION
SecurityLogCleared SYSTEM_AUDIT_LOG_WIPE
SensitiveFileRead FILE_READ
ServiceInstalled SERVICE_CREATION
SetThreadContextRemoteApiCall PROCESS_UNCATEGORIZED
ShellLinkCreateFileEvent FILE_CREATION
SmartScreenAppWarning SCAN_UNCATEGORIZED
SmartScreenExploitWarning SCAN_HOST
SmartScreenUrlWarning SCAN_UNCATEGORIZED
SmartScreenUserOverride SCAN_UNCATEGORIZED
TamperingAttempt SETTING_MODIFICATION
TvmAxonTelemetryEvent STATUS_UPDATE
UntrustedWifiConnection NETWORK_CONNECTION
UsbDriveDriveLetterChanged DEVICE_CONFIG_UPDATE
UsbDriveMount DEVICE_CONFIG_UPDATE
UsbDriveMounted DEVICE_CONFIG_UPDATE
UsbDriveUnmount DEVICE_CONFIG_UPDATE
UsbDriveUnmounted DEVICE_CONFIG_UPDATE
UserAccountAddedToLocalGroup GROUP_MODIFICATION
UserAccountCreated USER_CREATION
UserAccountDeleted USER_DELETION
UserAccountModified USER_UNCATEGORIZED
UserAccountRemovedFromLocalGroup GROUP_MODIFICATION
WmiBindEventFilterToConsumer STATUS_UPDATE
WriteProcessMemoryApiCall PROCESS_UNCATEGORIZED
WriteToLsassProcessMemory PROCESS_UNCATEGORIZED

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceEvents

The following table lists the log fields for the DeviceEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
properties.AccountDomain principal.administrative_domain If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.AccountDomain log field is mapped to the target.administrative_domain UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.AccountDomain log field is mapped to the principal.administrative_domain UDM field.
properties.AccountName principal.user.userid If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountName log field value is empty, then the properties.AccountName log field is mapped to the target.user.userid UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountName log field value is empty, then the properties.AccountName log field is mapped to the principal.user.userid UDM field.
properties.AccountSid principal.user.windows_sid If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountSid log field value is empty, then the properties.AccountSid log field is mapped to the target.user.windows_sid UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountSid log field value is empty, then the properties.AccountSid log field is mapped to the principal.user.windows_sid UDM field.
properties.ActionType metadata.event_type
properties.ActionType security_result.action If the properties.ActionType log field value matches the regular expression pattern (?i)Allow, then the security_result.action UDM field is set to ALLOW.

Else if the properties.ActionType log field value matches the regular expression pattern (?i)Block, then the security_result.action UDM field is set to BLOCK.

Else if the properties.ActionType log field value matches the regular expression pattern (?i)Fail, then the security_result.action UDM field is set to FAIL.
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.FileName target.file.names If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileName log field is mapped to the target.process.file.names UDM field.
Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileName log field is mapped to the target.file.names UDM field.
properties.FileOriginIP principal.ip
properties.FileOriginUrl principal.url
properties.FileSize target.file.size If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileSize log field is mapped to the target.process.file.size UDM field.
Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileSize log field is mapped to the target.file.size UDM field.
properties.FolderPath target.file.full_path If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value then, properties.FolderPath log field is mapped to the target.process.file.full_path UDM field. Else, %{properties.FolderPath}\%{properties.FileName} log field is mapped to the target.process.file.full_path UDM field.
Else, if the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value then, properties.FolderPath log field is mapped to the target.file.full_path UDM field. Else, %{properties.FolderPath}\%{properties.FileName} log field is mapped to the target.file.full_path UDM field.
properties.InitiatingProcessAccountDomain principal.administrative_domain If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the target.administrative_domain UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the principal.administrative_domain UDM field.
properties.InitiatingProcessAccountName principal.user.userid If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the target.user.userid UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the principal.user.userid UDM field.
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountSid principal.user.windows_sid If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the target.user.windows_sid UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the principal.user.windows_sid UDM field.
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessLogonId additional.fields[initiating_process_logon_id]
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[process_version_info_product_version]
properties.LocalIP principal.ip
properties.LocalPort principal.port
properties.LogonId network.session_id
properties.MD5 target.file.md5 If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.MD5 log field is mapped to the target.process.file.md5 UDM field.
Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.MD5 log field is mapped to the target.file.md5 UDM field.
properties.ProcessCommandLine target.process.command_line
properties.ProcessCreationTime additional.fields[process_creation_time]
properties.ProcessId target.process.pid
properties.ProcessTokenElevation target.process.token_elevation_type If the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the target.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the target.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the target.process.token_elevation_type UDM field is set to TYPE_3.
properties.RegistryKey target.registry.registry_key
properties.RegistryValueData target.registry.registry_value_data
properties.RegistryValueName target.registry.registry_value_name
properties.RemoteDeviceName target.hostname
properties.RemoteIP target.ip
properties.RemotePort target.port
properties.RemoteUrl target.url
properties.ReportId metadata.product_log_id
properties.SHA1 target.file.sha1 If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.SHA1 log field is mapped to the target.process.file.sha1 UDM field.
Else, if the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.file.sha256 If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ then, properties.SHA256 log field is mapped to the target.process.file.sha256 UDM field.
Else, if the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ then, properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - AlertEvidence

The following table lists the log fields for the AlertEvidence log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_HOST.
principal.resource.resource_type The principal.resource.resource_type UDM field is set to CLOUD_PROJECT.
properties.AccountDomain principal.administrative_domain
properties.AccountName principal.user.userid
properties.AccountObjectId additional.fields[account_object_id]
properties.AccountSid principal.user.windows_sid
properties.AccountUpn principal.user.user_display_name
properties.AdditionalFields additional.fields[additionalfields]
properties.AlertId metadata.product_log_id
properties.Application additional.fields[application]
properties.ApplicationId additional.fields[application_id]
properties.AttackTechniques security_result.attack_details.techniques.name
properties.Categories security_result.category_details
properties.CloudPlatform principal.resource.attribute.cloud.environment If the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Amazon Web Services/, then the principal.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES.

Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Google Cloud Platform/, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.

Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Azure/, then the principal.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE.

Else, the principal.resource.attribute.cloud.environment UDM field is set to UNSPECIFIED_CLOUD_ENVIRONMENT.
properties.CloudResource principal.resource.name
properties.DetectionSource security_result.about.resource.attribute.labels[detection_source]
properties.DeviceId principal.asset_id If the properties.DeviceId log field value is not empty, then the DeviceID:properties.DeviceId log field is mapped to the principal.asset_id UDM field.
properties.DeviceName principal.hostname If the properties.DeviceName log field value is not empty then, properties.DeviceName log field is mapped to the principal.hostname UDM field.
Else, if the properties.AdditionalFields.HostName log field value is not empty then, properties.AdditionalFields.HostName log field is mapped to the principal.hostname UDM field.
Else, if the properties.AdditionalFields.Host.HostName log field value is not empty then, properties.AdditionalFields.Host.HostName log field is mapped to the principal.hostname UDM field.
Else, if the properties.AdditionalFields.ImageFile.Host.HostName log field value is not empty then, AdditionalFields.ImageFile.Host.HostName log field is mapped to the principal.hostname UDM field.
properties.EmailSubject network.email.subject
properties.EntityType principal.resource.resource_subtype
properties.EvidenceDirection principal.user.attribute.labels[evidence_direction]
properties.EvidenceRole principal.user.attribute.labels[evidence_role]
properties.FileName target.file.names
properties.FileSize target.file.size
properties.FolderPath target.file.full_path If the properties.FileName log field value matches the regular expression pattern the properties.FolderPath, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.

Else, the properties.FolderPath/properties.FileName log field is mapped to the target.file.full_path UDM field.
properties.LocalIP principal.asset.ip If the properties.LocalIP log field value is not empty, then the properties.LocalIP log field is mapped to the principal.asset.ip UDM field.
properties.NetworkMessageId network.email.mail_id
properties.OAuthApplicationId additional.fields[oauth_application_id]
properties.ProcessCommandLine target.process.command_line
properties.RegistryKey target.registry.registry_key
properties.RegistryValueData target.registry.registry_value_data
properties.RegistryValueName target.registry.registry_value_name
properties.RemoteIP target.ip
properties.RemoteUrl target.url
properties.ResourceID principal.resource.product_object_id
properties.ServiceSource security_result.about.resource.attribute.labels[service_source]
properties.Severity security_result.severity
properties.SHA1 target.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^the 0-9a-f log field value+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^the a-f0-9, then 64$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.SubscriptionId principal.resource.attribute.labels[subscription_id]
properties.ThreatFamily security_result.detection_fields[threat_family]
properties.Timestamp metadata.event_timestamp
properties.Title security_result.summary
properties.Title security_result.threat_name
properties.Title security_result.rule_name

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - AlertInfo

The following table lists the log fields for the AlertInfo log type and their corresponding UDM fields:

Log field UDM mapping Logic
is_alert The is_alert UDM field is set to true.
is_significant The is_significant UDM field is set to true.
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.AlertId metadata.product_log_id
properties.AttackTechniques security_result.attack_details.techniques.name
properties.Category security_result.category_details
properties.DetectionSource security_result.detection_fields[detection_source]
properties.ServiceSource security_result.detection_fields[service_source]
properties.Severity security_result.severity If the properties.Severity log field value matches the regular expression pattern (?i)(informational), then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the properties.Severity log field value matches the regular expression pattern (?i)(low), then the security_result.severity UDM field is set to LOW.

Else, if the properties.Severity log field value matches the regular expression pattern (?i)(medium), then the security_result.severity UDM field is set to MEDIUM.

Else, if the properties.Severity log field value matches the regular expression pattern (?i)(high), then the security_result.severity UDM field is set to HIGH.
properties.Timestamp metadata.event_timestamp
properties.Title security_result.threat_name
properties.Title security_result.rule_name

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceAlertEvents

The following table lists the log fields for the DeviceAlertEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
is_alert The is_alert UDM field is set to true.
is_significant The is_significant UDM field is set to true.
metadata.event_type The metadata.event_type UDM field is set to SCAN_HOST.
properties.AlertId metadata.product_log_id
properties.AttackTechniques security_result.attack_details.techniques.name
properties.Category security_result.category_details
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.FileName target.file.names
properties.MachineGroup principal.group.group_display_name
properties.MitreTechniques security_result.detection_fields[mitre_techniques]
properties.RemoteIp target.ip
properties.RemoteUrl target.url
properties.ReportId security_result.detection_fields[report_id]
properties.Severity security_result.severity If the properties.Severity log field value is equal to High, then the security_result.severity UDM field is set to HIGH.

Else, if the properties.Severity log field value is equal to Medium, then the security_result.severity UDM field is set to MEDIUM.

Else, if the properties.Severity log field value is equal to Low, then the security_result.severity UDM field is set to LOW.

Else, if the properties.Severity log field value is equal to Informational, then the security_result.severity UDM field is set to INFORMATIONAL.
properties.SHA1 target.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.Table additional.fields[table]
properties.Timestamp metadata.event_timestamp
properties.Title security_result.threat_name
properties.Title security_result.rule_name

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileCertificateInfo

The following table lists the log fields for the DeviceFileCertificateInfo log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
properties.CertificateCountersignatureTime additional.fields[certificate_countersignature_time]
properties.CertificateCreationTime additional.fields[certification_creation_time]
properties.CertificateExpirationTime additional.fields[certification_expiration_time]
properties.CertificateSerialNumber additional.fields[certificate_serial_number]
properties.CrlDistributionPointUrls additional.fields[crl_distribution_point_urls]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.IsRootSignerMicrosoft additional.fields[is_root_signer_microsoft]
properties.IsSigned principal.file.signature_info.sigcheck.verified If the properties.IsSigned log field value is equal to true, then the principal.file.signature_info.sigcheck.verified UDM field is set to TRUE.

Else, the principal.file.signature_info.sigcheck.verified UDM field is set to FALSE.
properties.Issuer principal.file.signature_info.sigcheck.signers.cert_issuer
properties.IssuerHash additional.fields[issuer_hash]
properties.IsTrusted additional.fields[is_trusted]
properties.ReportId metadata.product_log_id
properties.SHA1 principal.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SignatureType additional.fields[signature_type]
properties.Signer principal.file.signature_info.sigcheck.signers.name
properties.SignerHash additional.fields[signer_hash]
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceImageLoadEvents

The following table lists the log fields for the DeviceImageLoadEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to PROCESS_MODULE_LOAD.
principal.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{principal.DeviceId}.
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.DeviceName principal.hostname
properties.FileName target.process.file.names
properties.FileName target.file.names
properties.FileSize target.process.file.size
properties.FileSize target.file.size
properties.FolderPath target.process.file.full_path If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName, then the properties.FolderPath log field is mapped to the target.process.file.full_path UDM field.

Else, the target.process.file.full_pathis set to %{properties.FolderPath}/%{properties.FileName}.
properties.FolderPath target.file.full_path If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.

Else, the target.file.full_pathis set to %{properties.FolderPath}/%{properties.FileName}.
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.MD5 target.process.file.md5 If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.process.file.md5 UDM field.
properties.MD5 target.file.md5 If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.process.file.md5 UDM field.
properties.ReportId metadata.product_log_id
properties.SHA1 target.process.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.process.file.sha1 UDM field.
properties.SHA1 target.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.process.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.process.file.sha256 UDM field.
properties.SHA256 target.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileEvents

The following table lists the log fields for the DeviceFileEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
properties.ActionType metadata.event_type If the properties.ActionType log field value is equal to FileCreated, then the metadata.event_type UDM field is set to FILE_CREATION.

Else, if the properties.ActionType log field value is equal to FileDeleted, then the metadata.event_type UDM field is set to FILE_DELETION.

Else, if the properties.ActionType log field value is equal to FileModified, then the metadata.event_type UDM field is set to FILE_MODIFICATION.

Else, if the properties.ActionType log field value is equal to FileRenamed, then the metadata.event_type UDM field is set to FILE_MOVE.
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.FileName target.file.names
properties.FileOriginIP principal.ip
properties.FileOriginReferrerUrl network.http.referral_url
properties.FileOriginUrl principal.url
properties.FileSize target.file.size
properties.FolderPath target.file.full_path If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.

Else, the target.file.full_path set to %{properties.FolderPath}/%{properties.FileName}.
properties.InitiatingProcessAccountDomain principal.administrative_domain If the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the principal.administrative_domain UDM field.
properties.InitiatingProcessAccountName principal.user.userid If the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the principal.user.userid UDM field.
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountSid principal.user.windows_sid If the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the principal.user.windows_sid UDM field.
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.IsAzureInfoProtectionApplied additional.fields[is_azure_info_protection_applied]
properties.MD5 target.file.md5 If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.file.md5 UDM field.
properties.PreviousFileName src.file.names
properties.PreviousFolderPath src.file.full_path If the properties.PreviousFolderPath log field value matches the regular expression pattern the properties.PreviousFileName log field value, then the properties.PreviousFolderPath log field is mapped to the src.file.full_path UDM field.

Else, src.file.full_path set to the %{properties.PreviousFolderPath}/%{properties.PreviousFileName}.
properties.ReportId metadata.product_log_id
properties.RequestAccountDomain principal.administrative_domain If the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.RequestAccountDomain log field is mapped to the principal.administrative_domain UDM field.
properties.RequestAccountName principal.user.userid If the properties.InitiatingProcessAccountName log field value is empty, then the properties.RequestAccountName log field is mapped to the principal.user.userid UDM field.
properties.RequestAccountSid principal.user.windows_sid If the properties.InitiatingProcessAccountSid log field value is empty, then the properties.RequestAccountSid log field is mapped to the principal.user.windows_sid UDM field.
properties.RequestProtocol network.application_protocol If the properties.RequestProtocol log field value is equal to SMB, then the network.application_protocol UDM field is set to SMB.

Else, if the properties.RequestProtocol log field value is equal to NFS, then the network.application_protocol UDM field is set to NFS.

Else, if the properties.RequestProtocol log field value is equal to Local, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL.
properties.RequestSourceIP principal.ip
properties.RequestSourcePort principal.port
properties.SensitivityLabel target.file.tags
properties.SensitivitySubLabel target.file.tags
properties.SHA1 target.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.ShareName additional.fields[share_name]
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceInfo

The following table lists the log fields for the DeviceInfo log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.entity_type The metadata.entity_type UDM field is set to ASSET.
relations.direction The relations.direction UDM field is set to UNIDIRECTIONAL.
relations.entity_type The relations.entity_type UDM field is set to USER.
relations.relationship The relations.relationship UDM field is set to MEMBER.
properties.AadDeviceId entity.asset.attribute.labels[aad_device_id]
properties.AdditionalFields entity.asset.attribute.labels[additional_fields]
properties.AssetValue entity.security_result.priority If the properties.AssetValue log field value is equal to High, then the entity.security_result.priority UDM field is set to HIGH_PRIORITY.

Else, if the properties.AssetValue log field value is equal to Medium, then the entity.security_result.priority UDM field is set to MEDIUM_PRIORITY.

Else, if the properties.AssetValue log field value is equal to Low, then the entity.security_result.priority UDM field is set to LOW_PRIORITY.

Else, the properties.AssetValue log field is mapped to the entity.security_result.detection_fields.asset_value UDM field.
properties.ClientVersion entity.asset.software.version
properties.ConnectivityType entity.asset.attribute.labels[connectivity_type]
properties.DeviceCategory entity.asset.category
properties.DeviceDynamicTags entity.asset.attribute.labels[device_dynamic_tags]
properties.DeviceId entity.asset_id The entity.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceId entity.asset.asset_id The entity.asset.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceId metadata.product_entity_id The metadata.product_entity_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceManualTags entity.asset.attribute.labels[device_manual_tags]
properties.DeviceName entity.asset.hostname
properties.DeviceSubtype entity.asset.attribute.labels[device_subtype]
properties.DeviceType entity.asset.type If the properties.DeviceType log field value is equal to NetworkDevice, then the entity.asset.type UDM field is set to NETWORK_ATTACHED_STORAGE.

Else, if the properties.DeviceType log field value is equal to Workstation, then the entity.asset.type UDM field is set to WORKSTATION.

Else, if the properties.DeviceType log field value is equal to Server, then the entity.asset.type UDM field is set to SERVER.

Else, if the properties.DeviceType log field value is equal to Mobile, then the entity.asset.type UDM field is set to MOBILE.

Else if the properties.DeviceType log field value is equal to Printer, then the entity.asset.type UDM field is set to PRINTER.
properties.DeviceType entity.asset.attribute.labels if the properties.DeviceType log field value is equal to GamingConsole, then the properties.DeviceType log field is mapped to the entity.asset.attribute.labels UDM field.
properties.ExclusionReason entity.security_result.detection_fields[exclusion_reason]
properties.ExposureLevel entity.security_result.detection_fields[exposure_level]
properties.HostDeviceId entity.asset.attribute.labels[host_device_id]
properties.IsAzureADJoined entity.asset.attribute.labels[is_azure_ad_joined]
properties.IsExcluded entity.security_result.detection_fields[is_excluded]
properties.IsInternetFacing entity.asset.attribute.labels[is_internet_facing]
properties.JoinType entity.asset.attribute.labels[join_type]
properties.LoggedOnUsers
properties.LoggedOnUsers.DomainName relations.entity.domain.name
properties.LoggedOnUsers.Sid relations.entity.user.windows_sid
properties.LoggedOnUsers.UserName relations.entity.user.userid
properties.MachineGroup entity.group.group_display_name
properties.MergedDeviceIds entity.asset.attribute.labels[merged_device_ids]
properties.MergedToDeviceId entity.asset.attribute.labels[merged_to_device_id]
properties.Model entity.asset.hardware.model
properties.OnboardingStatus entity.asset.attribute.labels[onboarding_status]
properties.OSArchitecture entity.asset.attribute.labels[os_architecture]
properties.OSBuild entity.asset.platform_software.plateform_patch_level
properties.OSDistribution entity.asset.attribute.labels[os_distribution]
properties.OSPlatform entity.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the entity.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the entity.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the entity.asset.platform_software.platform UDM field is set to LINUX.
properties.OSVersion entity.asset.platform_software.platform_version
properties.OSVersionInfo entity.asset.attribute.labels[os_version_info]
properties.PublicIP entity.asset.nat_ip
properties.RegistryDeviceTag entity.asset.attribute.labels[registry_divice_tag]
properties.ReportId entity.asset.attribute.labels[report_id]
properties.SensorHealthState entity.asset.attribute.labels[sensor_health_state]
properties.Timestamp metadata.creation_timestamp
properties.Vendor entity.asset.hardware.manufacturer

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceIdentityLogonEvents

The following table lists the log fields for the DeviceIdentityLogonEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_HOST.
principal.resource.resource_type The principal.resource.resource_type UDM field is set to CLOUD_PROJECT.
properties.AccountDomain principal.administrative_domain
properties.AccountName principal.user.userid
properties.AccountObjectId additional.fields[account_object_id]
properties.AccountSid principal.user.windows_sid
properties.AccountUpn principal.user.user_display_name
properties.AdditionalFields additional.fields[additionalfields]
properties.AlertId metadata.product_log_id
properties.Application additional.fields[application]
properties.ApplicationId additional.fields[application_id]
properties.AttackTechniques security_result.attack_details.techniques.name
properties.Categories security_result.category_details
properties.CloudPlatform principal.resource.attribute.cloud.environment If the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Amazon Web Services/, then the principal.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES.

Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Google Cloud Platform/, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.

Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Azure/, then the principal.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE.

Else, the principal.resource.attribute.cloud.environment UDM field is set to UNSPECIFIED_CLOUD_ENVIRONMENT.
properties.CloudResource principal.resource.name
properties.DetectionSource security_result.about.resource.attribute.labels[detection_source]
properties.DeviceId principal.asset_id If the properties.DeviceId log field value is not empty, then the AssetID:properties.DeviceId log field is mapped to the principal.asset_id UDM field. else, then the AssetID:properties.AdditionalFields.MachineId log field is mapped to the principal.asset_id UDM field.
properties.DeviceName principal.hostname If the properties.DeviceName log field value is not empty, then the properties.DeviceName log field is mapped to the principal.hostname UDM field.
properties.EmailSubject network.email.subject
properties.EntityType principal.resource.resource_subtype
properties.EvidenceDirection principal.user.attribute.labels[evidence_direction]
properties.EvidenceRole principal.user.attribute.labels[evidence_role]
properties.FileName target.file.names
properties.FileSize target.file.size
properties.FolderPath target.file.full_path If the properties.FileName log field value matches the regular expression pattern the properties.FolderPath, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.

Else, the properties.FolderPath/properties.FileName log field is mapped to the target.file.full_path UDM field.
properties.LocalIP principal.asset.ip If the properties.LocalIP log field value is not empty, then the properties.LocalIP log field is mapped to the principal.asset.ip UDM field.
properties.NetworkMessageId network.email.mail_id
properties.OAuthApplicationId additional.fields[oauth_application_id]
properties.ProcessCommandLine target.process.command_line
properties.RegistryKey target.registry.registry_key
properties.RegistryValueData target.registry.registry_value_data
properties.RegistryValueName target.registry.registry_value_name
properties.RemoteIP target.ip
properties.RemoteUrl target.url
properties.ResourceID principal.resource.product_object_id
properties.ServiceSource security_result.about.resource.attribute.labels[service_source]
properties.Severity security_result.severity
properties.SHA1 target.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^the 0-9a-f log field value+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^the a-f0-9, then 64$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.SubscriptionId principal.resource.attribute.labels[subscription_id]
properties.ThreatFamily security_result.threat_name
properties.Timestamp metadata.event_timestamp
properties.Title security_result.summary

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceLogonEvents

The following table lists the log fields for the DeviceLogonEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
properties.AccountDomain target.administrative_domain
properties.AccountName target.user.userid
properties.AccountSid target.user.windows_sid
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.FailureReason security_result.description
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.IsLocalAdmin target.resource.attribute.labels[is_local_admin]
properties.LogonId network.session_id
properties.LogonType extensions.auth.mechanism If the properties.LogonType log field value is equal to Interactive, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the properties.LogonType log field value is equal to Network, then the extensions.auth.mechanism UDM field is set to NETWORK.

Else, if the properties.LogonType log field value is equal to Batch, then the extensions.auth.mechanism UDM field is set to BATCH.

Else, if the properties.LogonType log field value is equal to Service, then the extensions.auth.mechanism UDM field is set to SERVICE.

Else, if the properties.LogonType log field value is equal to RemoteInteractive, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.
properties.Protocol network.ip_protocol If the properties.Protocol log field value is equal to Tcp, then the network.ip_protocol UDM field is set to TCP.

If the properties.Protocol log field value is equal to Udp, then the network.ip_protocol UDM field is set to UDP.

If the properties.Protocol log field value is equal to Icmp, then the network.ip_protocol UDM field is set to ICMP.
properties.RemoteDeviceName target.hostname
properties.RemoteIP target.ip
properties.RemoteIPType additional.fields[remote_ip_type]
properties.RemotePort target.port
properties.ReportId metadata.product_log_id
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkEvents

The following table lists the log fields for the DeviceNetworkEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.LocalIP principal.ip
properties.LocalIPType additional_fields[LocalIPType]
properties.LocalPort principal.port
properties.Protocol network.ip_protocol If the properties.Protocol log field value is equal to Tcp, then the network.ip_protocol UDM field is set to TCP.

Else, if the properties.Protocol log field value is equal to Udp, then the network.ip_protocol UDM field is set to UDP.

Else, if the properties.Protocol log field value is equal to Icmp, then the network.ip_protocol UDM field is set to ICMP.
properties.RemoteIP target.ip
properties.RemoteIPType additional_fields[RemoteIPType]
properties.RemotePort target.port
properties.RemoteUrl target.url
properties.ReportId metadata.product_log_id
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkInfo

The following table lists the log fields for the DeviceNetworkInfo log type and their corresponding UDM fields:

Log field UDM mapping Logic
entity.asset.type The entity.asset.type UDM field is set to WORKSTATION.
metadata.entity_type The metadata.entity_type UDM field is set to ASSET.
DeviceNetworkInfo
properties.ConnectedNetworks entity.asset.attribute.labels[connected_networks]
properties.DefaultGateways entity.asset.attribute.labels[default_gateways]
properties.DeviceId entity.asset_id The entity.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceId entity.asset.asset_id The entity.asset.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceId metadata.product_entity_id The metadata.product_entity_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName entity.asset.hostname
properties.DnsAddresses entity.domain.last_dns_records.type The entity.domain.last_dns_records.type UDM field is set to ip_address.
properties.DnsAddresses entity.domain.last_dns_records.value The properties.DnsAddresses log field is mapped to the entity.domain.last_dns_records.value UDM field.
properties.IPAddresses entity.asset.ip
properties.IPv4Dhcp entity.network.dhcp.ciaddr If the properties.IPv4Dhcp log field value is not empty, then the properties.IPv4Dhcp log field is mapped to the entity.network.dhcp.ciaddr UDM field.

Else, the properties.IPv6Dhcp log field is mapped to the entity.network.dhcp.ciaddr UDM field.
properties.MacAddress entity.asset.mac
properties.NetworkAdapterName entity.asset.attribute.labels[network_adapter_name]
properties.NetworkAdapterStatus entity.asset.attribute.labels[network_adapter_status]
properties.NetworkAdapterType entity.asset.attribute.labels[network_adapter_type]
properties.NetworkAdapterVendor entity.asset.attribute.labels[network_adapter_vendor]
properties.ReportId entity.asset.attribute.labels[report_id]
properties.Timestamp metadata.creation_time
properties.TunnelType entity.asset.attribute.labels[tunnel_type]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceProcessEvents

The following table lists the log fields for the DeviceProcessEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
properties.AccountDomain target.administrative_domain
properties.AccountName target.user.userid
properties.AccountObjectId additional.fields[account_object_id]
properties.AccountSid target.user.windows_sid
properties.AccountUpn target.user.user_display_name
properties.ActionType metadata.event_type If the properties.ActionType log field value matches the regular expression pattern (?i)ProcessCreated, then the metadata.event_type UDM field is set to PROCESS_LAUNCH.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)OpenProcess, then the metadata.event_type UDM field is set to PROCESS_OPEN.
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.FileName target.process.file.names
properties.FileSize target.process.file.size
properties.FolderPath target.file.full_path If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.

Else, the target.file.full_path set to %{properties.FolderPath}/%{properties.FileName}.
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessLogonId additional.fields[initiating_process_logon_id]
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessSignatureStatus principal.process.file.signature_info.sigcheck.signers.status
properties.InitiatingProcessSignerType additional.fields[initiating_process_signer_type]
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.LogonId network.session_id
properties.MD5 target.process.file.md5 If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.file.md5 UDM field.
properties.ProcessCommandLine target.process.command_line
properties.ProcessCreationTime additional.fields[process_creation_time]
properties.ProcessId target.process.pid
properties.ProcessIntegrityLevel target.resource.attribute.labels[process_integrity_level]
properties.ProcessTokenElevation target.process.token_elevation_type If the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the target.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the target.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the target.process.token_elevation_type UDM field is set to TYPE_3.
properties.ProcessVersionInfoCompanyName target.process.file.exif_info.company
properties.ProcessVersionInfoFileDescription target.process.file.exif_info.file_description
properties.ProcessVersionInfoInternalFileName additional.fields[process_version_info_internal_file_name]
properties.ProcessVersionInfoOriginalFileName target.process.file.exif_info.original_file
properties.ProcessVersionInfoProductName target.process.file.exif_info.product
properties.ProcessVersionInfoProductVersion additional.fields[process_version_info_product_version]
properties.ReportId metadata.product_log_id
properties.SHA1 target.process.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.process.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGathering

The following table lists the log fields for the DeviceTvmInfoGathering log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_HOST.
properties.AdditionalFields additional.fields[additional_fields]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.LastSeenTime security.result.last_discovered_time
properties.OSPlatform principal.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the principal.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
properties.OSPlatform principal.asset.platform_software.platform_version
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceRegistryEvents

The following table lists the log fields for the DeviceRegistryEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
properties.ActionType metadata.event_type If the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyCreated, then the metadata.event_type UDM field is set to REGISTRY_CREATION.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyDeleted, then the metadata.event_type UDM field is set to REGISTRY_DELETION.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyRenamed, then the metadata.event_type UDM field is set to REGISTRY_MODIFICATION.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryValueDeleted, then the metadata.event_type UDM field is set to REGISTRY_DELETION.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryValueSet, then the metadata.event_type UDM field is set to REGISTRY_MODIFICATION.

Else, the metadata.event_type UDM field is set to REGISTRY_UNCATEGORIZED.
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountObjectId principal.user.attribute.labels[initiating_process_account_object_id]
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.InitiatingProcessAccountUpn principal.user.attribute.labels[initiating_process_account_upn]
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.PreviousRegistryKey principal.registry.registry_key
properties.PreviousRegistryValueData principal.registry.registry_value_data
properties.PreviousRegistryValueName principal.registry.registry_value_name
properties.RegistryKey target.registry.registry_key
properties.RegistryValueData target.registry.registry_value_data
properties.RegistryValueName target.registry.registry_value_name
properties.RegistryValueType additional.fields[registry_value_type]
properties.ReportId metadata.product_log_id
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGatheringKB

The following table lists the log fields for the DeviceTvmInfoGatheringKB log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.Categories principal.resource.attribute.labels[categories]
properties.DataStructure principal.resource.attribute.labels[data_structure]
properties.Description metadata.description
properties.FieldName principal.resource.name
properties.IgId metadata.product_log_id

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessment

The following table lists the log fields for the DeviceTvmSecureConfigurationAssessment log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_UNCATEGORIZED.
principal.resource.resource_type The principal.resource.resource_type UDM field is set to ACCESS_POLICY.
properties.ConfigurationCategory principal.resource.attribute.labels[configuration_category]
properties.ConfigurationId principal.resource.product_object_id
properties.ConfigurationImpact principal.resource.attribute.labels[configuration_impact]
properties.ConfigurationSubcategory principal.resource.resource_subtype
properties.Context principal.resource.attribute.labels[contex]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.IsApplicable principal.resource.attribute.labels[is_applicable]
properties.IsCompliant principal.resource.attribute.labels[is_compliant]
properties.IsExpectedUserImpact principal.resource.attribute.labels[is_expected_user_impact]
properties.OSPlatform principal.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the prinipal.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessmentKB

The following table lists the log fields for the DeviceTvmSecureConfigurationAssessmentKB log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
principal.resource.resource_type The principal.resource.resource_type UDM field is set to ACCESS_POLICY.
properties.ConfigurationBenchmarks principal.resource.attribute.labels[configuration_benchmarks]
properties.ConfigurationCategory principal.resource.attribute.labels[configuration_category]
properties.ConfigurationDescription principal.resource.attribute.labels[configuration_description]
properties.ConfigurationId principal.resource.product_object_id
properties.ConfigurationImpact principal.resource.attribute.labels[configuration_impact]
properties.ConfigurationName principal.resource.name
properties.ConfigurationSubcategory principal.resource.resource_subtype
properties.RemediationOptions principal.resource.attribute.labels[remediation_options]
properties.RiskDescription principal.resource.attribute.labels[risk_description]
properties.Tags principal.resource.attribute.labels[tags]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareEvidenceBeta

The following table lists the log fields for the DeviceTvmSoftwareEvidenceBeta log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DiskPaths principal.asset.attribute.labels[disk_paths] The properties.DiskPaths log field is mapped to the principal.asset.attribute.labels.disk_paths UDM field.
properties.LastSeenTime principal.asset.last_discover_time
properties.RegistryPaths principal.asset.attribute.labels[registry_paths] The properties.RegistryPaths log field is mapped to the principal.asset.attribute.labels.registry_paths UDM field.
properties.SoftwareName principal.asset.software.name
properties.SoftwareVendor principal.asset.software.vendor_name
properties.SoftwareVersion principal.asset.software.version

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareInventory

The following table lists the log fields for the DeviceTvmSoftwareInventory log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.EndOfSupportDate principal.asset.attribute.labels[end_of_support_date]
properties.EndOfSupportStatus principal.asset.attribute.labels[end_of_support_status]
properties.OSArchitecture principal.asset.attribute.labels[os_architecture]
properties.OSPlatform principal.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the prinipal.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
properties.OSVersion principal.asset.platform_software.platform_version
properties.ProductCodeCpe principal.asset.attribute.labels[product_code_cpe]
properties.SoftwareName principal.asset.software.name
properties.SoftwareVendor principal.asset.software.vendor_name
properties.SoftwareVersion principal.asset.software.version

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilities

The following table lists the log fields for the DeviceTvmSoftwareVulnerabilities log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_VULN_HOST.
properties.CveId extensions.vulns.vulnerabilities.cve_id
properties.CveTags additional.fields[cve_tags]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.OSPlatform principal.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the principal.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
properties.OSVersion principal.asset.platform_software.platform_version
properties.RecommendedSecurityUpdate security_result.detection_fields[recommended_security_update]
properties.RecommendedSecurityUpdateId security_result.detection_fields[recommended_security_update_id]
properties.SeverityLevel extensions.vulns.vulnerablitities.severity_details
properties.SoftwareName principal.asset.software.name
properties.SoftwareVendor principal.asset.software.vendor_name
properties.SoftwareVersion principal.asset.software.version
properties.VulnerabilityLevel extensions.vulns.vulnerabilities.severity If the properties.VulnerabilityLevel log field value is equal to High, then the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH.

Else, if the properties.VulnerabilityLevel log field value is equal to Medium, then the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM.

Else, if the properties.VulnerabilityLevel log field value is equal to Low, then the extensions.vulns.vulnerabilities.severity UDM field is set to LOW.

Else, if the properties.VulnerabilityLevel log field value is equal to Informational, then the extensions.vulns.vulnerabilities.severity UDM field is set to INFORMATIONAL.

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilitiesKB

The following table lists the log fields for the DeviceTvmSoftwareVulnerabilitiesKB log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.AffectedSoftware extensions.vulns.vulnerabilities.description
properties.CveId extensions.vulns.vulnerabilities.cve_id
properties.CvssScore extensions.vulns.vulnerablities.cvss_base_score
properties.IsExploitAvailable extensions.vulns.vulnerablities.cvss_vector
properties.LastModifiedTime extensions.vulns.vulnerabilities.scan_end_time
properties.PublishedDate extensions.vulns.vulnerabilities.first_found
properties.VulnerabilityDescription extensions.vulns.vulnerabilities.cve_description
properties.VulnerabilitySeverityLevel extensions.vulns.vulnerabilities.severity If the properties.VulnerabilitySeverityLevel log field value is equal to High, then the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH.

Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Medium, then the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM.

Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Low, then the extensions.vulns.vulnerabilities.severity UDM field is set to LOW.

Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Informational, then the extensions.vulns.vulnerabilities.severity UDM field is set to INFORMATIONAL.

Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY.
properties.VulnerabilitySeverityLevel extensions.vulns.vulnerablitities.severity_details

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailAttachmentInfo

The following table lists the log fields for the EmailAttachmentInfo log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to EMAIL_TRANSACTION.
properties.DetectionMethods security_result.detection_fields[detection_methods]
properties.FileName target.file.names
properties.FileSize target.file.size
properties.FileType target.file.mime_type
properties.NetworkMessageId network.email.mail_id
properties.RecipientEmailAddress network.email.to If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the network.email.to UDM field.
properties.RecipientEmailAddress target.user.email_addresses If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field.
properties.RecipientObjectId target.user.product_object_id
properties.ReportId metadata.product_log_id
properties.SenderDisplayName principal.user.user_display_name
properties.SenderFromAddress network.email.from If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the network.email.from UDM field.
properties.SenderFromAddress principal.user.email_addresses If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the principal.user.email_addresses UDM field.
properties.SenderObjectId principal.user.product_object_id
properties.SHA256 target.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.ThreatNames security_result.threat_name
properties.ThreatTypes security_result.category If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING.
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailEvents

The following table lists the log fields for the EmailEvents log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to EMAIL_TRANSACTION.
properties.AdditionalFields additional.fields[additional_fields]
properties.AttachmentCount additional.fields[latest_delivery_action]
properties.AuthenticationDetails security_result.detection_fields[authentication_details]
properties.BulkComplaintLevel security_result.detection_fields[bulk_complaint_level]
properties.ConfidenceLevel security_result.confidence_details
properties.Connectors additional.fields[attachment_count]
properties.DeliveryAction additional.fields[delivery_action]
properties.DeliveryLocation additional.fields[delivery_location] The properties.DeliveryLocation log field is mapped to the additional.fields.delivery_location UDM field.
properties.DetectionMethods security_result.detection_fields[detection_methods]
properties.EmailAction security_result.description
properties.EmailActionPolicy security_result.rule_name
properties.EmailActionPolicyGuid security_result.rule_id
properties.EmailClusterId additional.fields[email_cluster_id]
properties.EmailDirection network.direction If the properties.EmailDirection log field value is equal to Inbound, then the network.direction UDM field is set to INBOUND.

Else, if the properties.EmailDirection log field value is equal to Outbound, then the network.direction UDM field is set to OUTBOUND.

Else, the network.direction UDM field is set to UNKNOWN_DIRECTION.
properties.EmailLanguage additional.fields[email_language]
properties.InternetMessageId additional.fields[internet_message_id]
properties.LatestDeliveryAction additional.fields[latest_delivery_action]
properties.LatestDeliveryLocation additional.fields[last_delivery_location]
properties.NetworkMessageId network.email.mail_id
properties.OrgLevelAction security_result.rule_labels[org_level_action]
properties.OrgLevelPolicy security_result.rule_labels[org_level_policy]
properties.RecipientEmailAddress network.email.to
properties.RecipientEmailAddress target.user.email_addresses If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field.
properties.RecipientObjectId target.user.product_object_id
properties.ReportId metadata.product_log_id
properties.SenderDisplayName principal.user.user_display_name
properties.SenderFromAddress principal.user.email_addresses If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the principal.user.email_addresses UDM field.
properties.SenderFromDomain principal.administrative_domain
properties.SenderIPv4 principal.ip
properties.SenderIPv6 principal.ip
properties.SenderMailFromAddress principal.user.attribute.labels[sender_mail_from_address]
properties.SenderMailFromDomain principal.user.attribute.labels[sender_mail_from_domain]
properties.SenderObjectId principal.user.product_object_id
properties.Subject network.email.subject
properties.ThreatNames security_result.threat_name
properties.ThreatTypes security_result.category If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING.
properties.ThreatTypes security_result.category_details
properties.Timestamp metadata.event_timestamp
properties.UrlCount additional.fields[connectors]
properties.UserLevelAction security_result.rule_labels[user_level_action]
properties.UserLevelPolicy security_result.rule_labels[user_level_policy]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailPostDeliveryEvents

The following table lists the log fields for the EmailPostDeliveryEvents log type and their corresponding UDM fields:
Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to EMAIL_UNCATEGORIZED.
properties.Action security_result.action_details
properties.ActionResult security_result.summary
properties.ActionTrigger security_result.detection_fields[action_trigger]
properties.ActionType security_result.verdict_info.verdict_type If the properties.ActionType log field value is equal to Manual Remediation, then the security_result.verdict_info.verdict_type UDM field is set to ANALYST_VERDICT.

Else, if the properties.ActionType log field contains one of the following values, then the security_result.verdict_info.verdict_type UDM field is set to PROVIDER_ML_VERDICT.
  • Phish ZAP
  • Malware ZAP
  • Spam ZAP
.
properties.DeliveryLocation security_result.detection_fields[delivery_location]
properties.DetectionMethods security_result.detection_fields[detection_methods]
properties.InternetMessageId additional.fields[internet_message_id]
properties.NetworkMessageId network.email.mail_id
properties.RecipientEmailAddress target.user.email_addresses If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field.
properties.ReportId security_result.detection_fields[report_id]
properties.ThreatTypes security_result.category If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING.
properties.ThreatTypes security_result.category_details
properties.Timestamp metadata.event_timestamp

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailUrlInfo

The following table lists the log fields for the EmailUrlInfo log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to EMAIL_TRANSACTION.
properties.NetworkMessageId network.email.mail_id
properties.ReportId metadata.product_log_id
properties.Timestamp metadata.event_timestamp
properties.Url target.url
properties.UrlDomain target.hostname
properties.UrlLocation additional.fields[url_location]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - IdentityInfo

The following table lists the log fields for the IdentityInfo log type and their corresponding UDM fields:

Log field UDM mapping Logic
metadata.entity_type The metadata.entity_type UDM field is set to USER.
properties.AccountDisplayName entity.user.user_display_name
properties.AccountDomain entity.administrative_domain
properties.AccountName entity.user.userid
properties.AccountObjectId entity.user.product_object_id
properties.AccountObjectId metadata.product_entity_id
properties.AccountUpn entity.user.attribute.labels[account_upn]
properties.Address entity.user.personal_address.name
properties.AssignedRoles entity.user.role_description
properties.ChangeSource entity.user.attribute.labels[change_source]
properties.City entity.user.personal_address.city
properties.CloudSid entity.user.attribute.labels[cloud_sid]
properties.Country entity.user.personal_address.country_or_region
properties.CreatedDateTime entity.user.attribute.creation_time
properties.Department entity.user.department
properties.DistinguishedName entity.user.attributes.labels[distinguished_name]
properties.EmailAddress entity.user.email_addresses If the properties.EmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.EmailAddress log field is mapped to the entity.user.email_addresses UDM field.
properties.GivenName entity.user.first_name
properties.IsAccountEnabled entity.user.user_authentication_status If the properties.IsAccountEnabled log field value is equal to 1, then the entity.user.user_authentication_status UDM field is set to ACTIVE.

Else, the entity.user.user_authentication_status UDM field is set to SUSPENDED.
properties.JobTitle entity.user.title
properties.Manager entity.user.managers.user_display_name
properties.OnPremSid entity.user.attribute.labels[on_prem_sid]
properties.Phone entity.user.phone_numbers
properties.ReportId entity.user.attribute.labels[report_id]
properties.SipProxyAddress entity.user.attribute.labels[sip_proxy_address]
properties.SourceProvider entity.user.attribute.labels[source_provider]
properties.SourceSystem entity.resource.parent
properties.Surname entity.user.last_name
properties.Tags entity.user.attribute.labels[tags]
properties.TenantId entity.resource.product_object_id
properties.Timestamp metadata.creation_time
properties.Type entity.user.attribute.role.name

What's next

Need more help? Get answers from Community members and Google SecOps professionals.