Collect Microsoft Defender for Endpoint logs
Supported in:
This document describes how you can collect Microsoft Defender for Endpoint logs by setting up a Google Security Operations feed and how log fields map to Google SecOps unified data model (UDM) fields.
For more information, see Data ingestion to Google SecOps.
A typical deployment consists of Microsoft Defender for Endpoint and the Google SecOps feed configured to send logs to Google SecOps. Your deployment might be different from the typical deployment that is described in this document. The deployment contains the following components:
Microsoft Defender for Endpoint: the platform that collects logs.
Azure Storage: the platform that stores logs.
Google SecOps feed: the Google SecOps feed that fetches logs from Microsoft Defender for Endpoint and writes logs to Google SecOps.
Google SecOps: the platform that retains and analyzes the logs from Microsoft Defender for Endpoint.
An ingestion label identifies the parser that normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the MICROSOFT_DEFENDER_ENDPOINT ingestion label.
Before you begin
- Set the time zone to UTC on all systems in the deployment architecture.
- Ensure that you meet the prerequisites for using Microsoft Defender for Endpoint. For more information, see Microsoft Defender XDR prerequisites.
- Ensure that you have set up Microsoft Defender for Endpoint.
- Configure a storage account in your tenant.
Set up Microsoft Defender for Endpoint
- Sign in to security.microsoft.com as a global administrator or security administrator.
- In the left pane, click Settings.
- Select the Microsoft Defender XDR tab.
- Select Streaming API from the general section and click Add.
- Select Forward events to Azure Storage.
- Navigate to the storage account of your choice.
- Select Overview > JSON View and enter the Resource ID.
- After you enter the resource ID, select all the required data types.
- Click Save.
Configure a feed in Google SecOps to ingest Microsoft Defender for Endpoint logs
- Go to SIEM Settings > Feeds.
- Click Add new.
- In the Feed name field, enter a name for the feed (for example, MS Defender Logs).
- Select Microsoft Azure Blob Storage as the Source Type.
- Select Microsoft Defender for Endpoint as the Log type.
- Click Next
- Configure the following input parameters:
- Azure URI: the URI pointing to an Azure Blob Storage blob or container.
- URI is a: the type of object indicated by the URI.
- Source deletion option: whether to delete files or directories after transferring.
- Select Shared key or SAS token.
- Key/Token: the shared key or SAS token to access Azure resources.
- Click Next and then Submit.
If you encounter issues when you ingest Microsoft Defender for Endpoint logs, contact Google SecOps support.
Supported Microsoft Defender for Endpoint log types
The Microsoft Defender for Endpoint parser supports the following tables:
- AlertEvidence
- AlertInfo
- DeviceAlertEvents
- DeviceEvents
- DeviceFileCertificateInfo
- DeviceFileEvents
- DeviceIdentityLogonEvents
- DeviceImageLoadEvents
- DeviceInfo
- DeviceLogonEvents
- DeviceNetworkEvents
- DeviceNetworkInfo
- DeviceProcessEvents
- DeviceRegistryEvents
- DeviceTvmInfoGathering
- DeviceTvmInfoGatheringKB
- DeviceTvmSecureConfigurationAssessment
- DeviceTvmSecureConfigurationAssessmentKB
- DeviceTvmSoftwareEvidenceBeta
- DeviceTvmSoftwareInventory
- DeviceTvmSoftwareVulnerabilities
- DeviceTvmSoftwareVulnerabilitiesKB
- EmailAttachmentInfo
- EmailEvents
- EmailPostDeliveryEvents
- EmailUrlInfo
- IdentityInfo
Field mapping reference
This section explains how the Google Security Operations parser maps Microsoft Defender for Endpoint fields to Google Security Operations UDM fields.
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Event Model
The following table lists the common log fields for the MICROSOFT_DEFENDER_ENDPOINT log type and their corresponding UDM fields:
| Common log field | UDM mapping | Logic |
|---|---|---|
time |
metadata.collected_timestamp |
|
category |
metadata.product_event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Microsoft Defender for Endpoint. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Microsoft. |
Tenant |
observer.resource_ancestors.name |
|
tenantId |
observer.resource_ancestors.product_object_id |
|
operationName |
additional.fields[operation_name] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Entity Model
The following table lists the common log fields for the MICROSOFT_DEFENDER_ENDPOINT log type and their corresponding UDM fields:
| Common log field | UDM mapping | Logic |
|---|---|---|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Microsoft. |
|
metadata.product_name |
The metadata.product_name UDM field is set to Microsoft Defender for Endpoint. |
time |
metadata.collected_timestamp |
|
tenantId |
relations.entity.resource.product_object_id |
|
operationName |
additional.fields[operation_name] |
|
category |
metadata.description |
|
Tenant |
relations.entity.resource.name |
|
|
relations.entity_type |
The relations.entity_type UDM field is set to RESOURCE. |
|
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
|
relations.direction |
The relations.direction UDM field is set to UNIDIRECTIONAL. |
Field mapping reference: DeviceEvents Event Identifier to Event Type
The following table lists theDeviceEvents log action types and their corresponding UDM event types.
| Event Identifier | Event Type |
|---|---|
UsbDriveDriveLetterChanged |
DEVICE_CONFIG_UPDATE |
AppControlAppInstallationAudited |
SCAN_HOST |
AsrExecutableOfficeContentAudited |
SCAN_HOST |
ShellLinkCreateFileEvent |
FILE_CREATION |
FileTimestampModificationEvent |
FILE_MODIFICATION |
PlistPropertyModified |
FILE_MODIFICATION |
SensitiveFileRead |
FILE_READ |
AsrUntrustedExecutableAudited |
SCAN_HOST |
AsrUntrustedExecutableBlocked |
SCAN_HOST |
DlpPocPrintJob |
FILE_UNCATEGORIZED |
RemovableStorageFileEvent |
FILE_UNCATEGORIZED |
DpapiAccessed |
GENERIC_EVENT |
ScreenshotTaken |
GENERIC_EVENT |
SecurityGroupCreated |
GROUP_CREATION |
SecurityGroupDeleted |
GROUP_DELETION |
UserAccountAddedToLocalGroup |
GROUP_MODIFICATION |
UserAccountRemovedFromLocalGroup |
GROUP_MODIFICATION |
ExploitGuardNetworkProtectionAudited |
SCAN_HOST |
ExploitGuardNetworkProtectionBlocked |
SCAN_HOST |
FirewallInboundConnectionBlocked |
NETWORK_CONNECTION |
FirewallInboundConnectionToAppBlocked |
NETWORK_CONNECTION |
FirewallOutboundConnectionBlocked |
NETWORK_CONNECTION |
RemoteDesktopConnection |
NETWORK_CONNECTION |
RemoteWmiOperation |
NETWORK_CONNECTION |
UntrustedWifiConnection |
NETWORK_CONNECTION |
DnsQueryRequest |
NETWORK_DNS |
DnsQueryResponse |
NETWORK_DNS |
NetworkShareObjectAdded |
NETWORK_UNCATEGORIZED |
AppGuardBrowseToUrl |
SCAN_HOST |
BrowserLaunchedToOpenUrl |
NETWORK_UNCATEGORIZED |
NetworkProtectionUserBypassEvent |
NETWORK_UNCATEGORIZED |
NetworkShareObjectAccessChecked |
NETWORK_UNCATEGORIZED |
NetworkShareObjectDeleted |
NETWORK_UNCATEGORIZED |
NetworkShareObjectModified |
NETWORK_UNCATEGORIZED |
AsrOfficeProcessInjectionAudited |
SCAN_HOST |
AppGuardCreateContainer |
SCAN_HOST |
AppGuardLaunchedWithUrl |
SCAN_HOST |
AsrAdobeReaderChildProcessAudited |
SCAN_HOST |
AsrAdobeReaderChildProcessBlocked |
SCAN_HOST |
AsrExecutableEmailContentAudited |
SCAN_HOST |
AsrOfficeChildProcessAudited |
SCAN_HOST |
AsrOfficeCommAppChildProcessAudited |
SCAN_HOST |
AsrPsexecWmiChildProcessAudited |
SCAN_HOST |
AsrScriptExecutableDownloadAudited |
SCAN_HOST |
AsrUntrustedUsbProcessAudited |
SCAN_HOST |
ExploitGuardChildProcessAudited |
SCAN_HOST |
ExploitGuardLowIntegrityImageAudited |
SCAN_HOST |
PowerShellCommand |
PROCESS_LAUNCH |
ProcessCreatedUsingWmiQuery |
PROCESS_LAUNCH |
QueueUserApcRemoteApiCall |
PROCESS_LAUNCH |
GetClipboardData |
STATUS_UPDATE |
OpenProcessApiCall |
PROCESS_OPEN |
ScriptContent |
PROCESS_LAUNCH |
AppControlAppInstallationBlocked |
SCAN_HOST |
AppGuardSuspendContainer |
SCAN_HOST |
AppGuardStopContainer |
SCAN_HOST |
AppLockerBlockExecutable |
PROCESS_UNCATEGORIZED |
AsrObfuscatedScriptAudited |
SCAN_HOST |
AsrObfuscatedScriptBlocked |
SCAN_HOST |
AsrOfficeChildProcessBlocked |
SCAN_HOST |
AsrOfficeProcessInjectionBlocked |
SCAN_HOST |
AsrPsexecWmiChildProcessBlocked |
SCAN_HOST |
AsrScriptExecutableDownloadBlocked |
SCAN_HOST |
AsrUntrustedUsbProcessBlocked |
SCAN_HOST |
ExploitGuardChildProcessBlocked |
SCAN_HOST |
ExploitGuardLowIntegrityImageBlocked |
SCAN_HOST |
ExploitGuardSharedBinaryAudited |
SCAN_HOST |
ExploitGuardSharedBinaryBlocked |
SCAN_HOST |
MemoryRemoteProtect |
PROCESS_UNCATEGORIZED |
NamedPipeEvent |
PROCESS_UNCATEGORIZED |
NtAllocateVirtualMemoryApiCall |
PROCESS_UNCATEGORIZED |
NtAllocateVirtualMemoryRemoteApiCall |
PROCESS_UNCATEGORIZED |
NtMapViewOfSectionRemoteApiCall |
PROCESS_UNCATEGORIZED |
NtProtectVirtualMemoryApiCall |
PROCESS_UNCATEGORIZED |
ProcessPrimaryTokenModified |
PROCESS_UNCATEGORIZED |
PTraceDetected |
PROCESS_UNCATEGORIZED |
ReadProcessMemoryApiCall |
PROCESS_UNCATEGORIZED |
SetThreadContextRemoteApiCall |
PROCESS_UNCATEGORIZED |
WriteProcessMemoryApiCall |
PROCESS_UNCATEGORIZED |
WriteToLsassProcessMemory |
PROCESS_UNCATEGORIZED |
AsrOfficeCommAppChildProcessBlocked |
SCAN_HOST |
AppControlCIScriptAudited |
SCAN_HOST |
AppControlCIScriptBlocked |
SCAN_HOST |
AppControlCodeIntegrityImageAudited |
SCAN_HOST |
AppControlCodeIntegrityImageRevoked |
SCAN_HOST |
AppControlCodeIntegrityOriginAllowed |
SCAN_HOST |
AppControlCodeIntegrityOriginAudited |
SCAN_HOST |
AppControlCodeIntegrityOriginBlocked |
SCAN_HOST |
AppControlScriptAudited |
SCAN_HOST |
AppControlScriptBlocked |
SCAN_HOST |
AsrExecutableEmailContentBlocked |
SCAN_HOST |
SafeDocFileScan |
SCAN_FILE |
AntivirusDefinitionsUpdated |
SCAN_HOST |
AntivirusDefinitionsUpdateFailed |
SCAN_HOST |
AntivirusDetection |
SCAN_HOST |
AntivirusDetectionActionType |
SCAN_HOST |
AntivirusEmergencyUpdatesInstalled |
SCAN_HOST |
AntivirusError |
SCAN_HOST |
AntivirusMalwareActionFailed |
SCAN_HOST |
AntivirusMalwareBlocked |
SCAN_HOST |
AntivirusReport |
SCAN_HOST |
AntivirusScanCancelled |
SCAN_HOST |
AntivirusScanCompleted |
SCAN_HOST |
AntivirusScanFailed |
SCAN_HOST |
AntivirusTroubleshootModeEvent |
SCAN_HOST |
AppControlCodeIntegrityDriverRevoked |
SCAN_HOST |
AppControlCodeIntegrityPolicyAudited |
SCAN_HOST |
AppControlCodeIntegrityPolicyBlocked |
SCAN_HOST |
AppControlCodeIntegrityPolicyLoaded |
SCAN_HOST |
AppControlCodeIntegritySigningInformation |
SCAN_HOST |
AppControlExecutableAudited |
SCAN_HOST |
AppControlExecutableBlocked |
SCAN_HOST |
AppControlPackagedAppAudited |
SCAN_HOST |
AppControlPackagedAppBlocked |
SCAN_HOST |
AccountCheckedForBlankPassword |
SCAN_UNCATEGORIZED |
SmartScreenAppWarning |
SCAN_UNCATEGORIZED |
SmartScreenExploitWarning |
SCAN_HOST |
SmartScreenUrlWarning |
SCAN_UNCATEGORIZED |
SmartScreenUserOverride |
SCAN_UNCATEGORIZED |
ScheduledTaskCreated |
SCHEDULED_TASK_CREATION |
ScheduledTaskDeleted |
SCHEDULED_TASK_DELETION |
ScheduledTaskDisabled |
SCHEDULED_TASK_DISABLE |
ScheduledTaskEnabled |
SCHEDULED_TASK_ENABLE |
ScheduledTaskUpdated |
SCHEDULED_TASK_MODIFICATION |
ServiceInstalled |
SERVICE_CREATION |
DirectoryServiceObjectCreated |
SERVICE_MODIFICATION |
DirectoryServiceObjectModified |
SERVICE_MODIFICATION |
AuditPolicyModification |
SERVICE_MODIFICATION |
CreateRemoteThreadApiCall |
PROCESS_UNCATEGORIZED |
CredentialsBackup |
SERVICE_START |
FirewallServiceStopped |
SERVICE_STOP |
BitLockerAuditCompleted |
SERVICE_UNSPECIFIED |
AppControlPolicyApplied |
SCAN_HOST |
AppGuardResumeContainer |
SCAN_HOST |
AppLockerBlockPackagedApp |
STATUS_UPDATE |
AppLockerBlockPackagedAppInstallation |
STATUS_UPDATE |
AppLockerBlockScript |
STATUS_UPDATE |
AsrExecutableOfficeContentBlocked |
SCAN_HOST |
AsrLsassCredentialTheftAudited |
SCAN_HOST |
AsrLsassCredentialTheftBlocked |
SCAN_HOST |
AsrOfficeMacroWin32ApiCallsAudited |
SCAN_HOST |
AsrOfficeMacroWin32ApiCallsBlocked |
SCAN_HOST |
AsrPersistenceThroughWmiAudited |
SCAN_HOST |
AsrPersistenceThroughWmiBlocked |
SCAN_HOST |
AsrRansomwareAudited |
SCAN_HOST |
AsrRansomwareBlocked |
SCAN_HOST |
AsrVulnerableSignedDriverAudited |
SCAN_HOST |
AsrVulnerableSignedDriverBlocked |
SCAN_HOST |
BluetoothPolicyTriggered |
STATUS_UPDATE |
ClrUnbackedModuleLoaded |
PROCESS_MODULE_LOAD |
ControlFlowGuardViolation |
STATUS_UPDATE |
DeviceBootAttestationInfo |
STATUS_UPDATE |
DriverLoad |
PROCESS_MODULE_LOAD |
ExploitGuardEafViolationAudited |
SCAN_HOST |
ExploitGuardEafViolationBlocked |
SCAN_HOST |
ExploitGuardIafViolationAudited |
SCAN_HOST |
ExploitGuardIafViolationBlocked |
SCAN_HOST |
ExploitGuardNonMicrosoftSignedAudited |
SCAN_HOST |
ExploitGuardNonMicrosoftSignedBlocked |
SCAN_HOST |
ExploitGuardRopExploitAudited |
SCAN_HOST |
ExploitGuardRopExploitBlocked |
SCAN_HOST |
ExploitGuardWin32SystemCallAudited |
SCAN_HOST |
ExploitGuardWin32SystemCallBlocked |
SCAN_HOST |
GetAsyncKeyStateApiCall |
STATUS_UPDATE |
OtherAlertRelatedActivity |
STATUS_UPDATE |
PnpDeviceAllowed |
DEVICE_CONFIG_UPDATE |
PnpDeviceBlocked |
STATUS_UPDATE |
PnpDeviceConnected |
STATUS_UPDATE |
PrintJobBlocked |
STATUS_UPDATE |
RemovableStoragePolicyTriggered |
STATUS_UPDATE |
SecurityLogCleared |
SYSTEM_AUDIT_LOG_WIPE |
TvmAxonTelemetryEvent |
STATUS_UPDATE |
UsbDriveMount |
DEVICE_CONFIG_UPDATE |
UsbDriveMounted |
DEVICE_CONFIG_UPDATE |
UsbDriveUnmount |
DEVICE_CONFIG_UPDATE |
UsbDriveUnmounted |
DEVICE_CONFIG_UPDATE |
WmiBindEventFilterToConsumer |
STATUS_UPDATE |
TamperingAttempt |
SETTING_MODIFICATION |
PasswordChangeAttempt |
USER_CHANGE_PASSWORD |
LogonRightsSettingEnabled |
USER_CHANGE_PERMISSIONS |
UserAccountCreated |
USER_CREATION |
UserAccountDeleted |
USER_DELETION |
LdapSearch |
STATUS_UPDATE |
ControlledFolderAccessViolationAudited |
SCAN_FILE |
ControlledFolderAccessViolationBlocked |
SCAN_FILE |
ExploitGuardAcgAudited |
SCAN_HOST |
ExploitGuardAcgEnforced |
SCAN_HOST |
UserAccountModified |
USER_UNCATEGORIZED |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceEvents
The following table lists the log fields for theDeviceEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
properties.ActionType |
metadata.event_type |
|
properties.ReportId |
metadata.product_log_id |
|
properties.LogonId |
network.session_id |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the target.administrative_domain UDM field.
properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the principal.administrative_domain UDM field. |
properties.AccountDomain |
principal.administrative_domain |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.AccountDomain log field is mapped to the target.administrative_domain UDM field.
properties.InitiatingProcessAccountDomain log field value is empty, then the properties.AccountDomain log field is mapped to the principal.administrative_domain UDM field. |
properties.DeviceName |
principal.hostname |
|
properties.LocalIP |
principal.ip |
|
properties.FileOriginIP |
principal.ip |
|
properties.LocalPort |
principal.port |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.FileOriginUrl |
principal.url |
|
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the target.user.userid UDM field.
properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the principal.user.userid UDM field. |
properties.AccountName |
principal.user.userid |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountName log field value is empty, then the properties.AccountName log field is mapped to the target.user.userid UDM field.
properties.InitiatingProcessAccountName log field value is empty, then the properties.AccountName log field is mapped to the principal.user.userid UDM field. |
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the target.user.windows_sid UDM field.
properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the principal.user.windows_sid UDM field. |
properties.AccountSid |
principal.user.windows_sid |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountSid log field value is empty, then the properties.AccountSid log field is mapped to the target.user.windows_sid UDM field.
properties.InitiatingProcessAccountSid log field value is empty, then the properties.AccountSid log field is mapped to the principal.user.windows_sid UDM field. |
properties.ActionType |
security_result.action |
If the properties.ActionType log field value matches the regular expression pattern (?i)Allow, then the security_result.action UDM field is set to ALLOW.Else if the properties.ActionType log field value matches the regular expression pattern (?i)Block, then the security_result.action UDM field is set to BLOCK.Else if the properties.ActionType log field value matches the regular expression pattern (?i)Fail, then the security_result.action UDM field is set to FAIL. |
properties.FolderPath |
target.file.full_path |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.FolderPath log field value matches the regular expression pattern the then, properties.FolderPath log field is mapped to the target.process.file.full_path UDM field. Else, %{properties.FolderPath}\%{properties.FileName} log field is mapped to the target.process.file.full_path UDM field. Else, if the properties.FolderPath log field value matches the regular expression pattern the then, properties.FolderPath log field is mapped to the target.file.full_path UDM field. Else, %{properties.FolderPath}\%{properties.FileName} log field is mapped to the target.file.full_path UDM field. |
properties.MD5 |
target.file.md5 |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.MD5 log field is mapped to the target.process.file.md5 UDM field. Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.MD5 log field is mapped to the target.file.md5 UDM field. |
properties.FileName |
target.file.names |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileName log field is mapped to the target.process.file.names UDM field. Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileName log field is mapped to the target.file.names UDM field. |
properties.SHA1 |
target.file.sha1 |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.SHA1 log field is mapped to the target.process.file.sha1 UDM field. Else, if the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ then, properties.SHA256 log field is mapped to the target.process.file.sha256 UDM field. Else, if the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ then, properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileSize log field is mapped to the target.process.file.size UDM field. Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileSize log field is mapped to the target.file.size UDM field. |
properties.RemoteDeviceName |
target.hostname |
|
properties.RemoteIP |
target.ip |
|
properties.RemotePort |
target.port |
|
properties.ProcessCommandLine |
target.process.command_line |
|
properties.ProcessId |
target.process.pid |
|
properties.ProcessTokenElevation |
target.process.token_elevation_type |
If the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the target.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the target.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the target.process.token_elevation_type UDM field is set to TYPE_3. |
properties.RegistryKey |
target.registry.registry_key |
|
properties.RegistryValueData |
target.registry.registry_value_data |
|
properties.RegistryValueName |
target.registry.registry_value_name |
|
properties.RemoteUrl |
target.url |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessLogonId |
additional.fields[initiating_process_logon_id] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.ProcessCreationTime |
additional.fields[process_creation_time] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[process_version_info_product_version] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - AlertEvidence
The following table lists the log fields for theAlertEvidence log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Application |
additional.fields[application] |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_HOST. |
properties.DeviceId |
principal.asset_id |
If the properties.DeviceId log field value is not empty, then the DeviceID:properties.DeviceId log field is mapped to the principal.asset_id UDM field. |
properties.DeviceName |
principal.hostname |
If the properties.DeviceName log field value is not empty then, properties.DeviceName log field is mapped to the principal.hostname UDM field. Else, if the properties.AdditionalFields.HostName log field value is not empty then, properties.AdditionalFields.HostName log field is mapped to the principal.hostname UDM field. Else, if the properties.AdditionalFields.Host.HostName log field value is not empty then, properties.AdditionalFields.Host.HostName log field is mapped to the principal.hostname UDM field. Else, if the properties.AdditionalFields.ImageFile.Host.HostName log field value is not empty then, AdditionalFields.ImageFile.Host.HostName log field is mapped to the principal.hostname UDM field. |
properties.LocalIP |
principal.asset.ip |
If the properties.LocalIP log field value is not empty, then the properties.LocalIP log field is mapped to the principal.asset.ip UDM field. |
properties.FolderPath |
target.file.full_path |
If the properties.FileName log field value matches the regular expression pattern the properties.FolderPath, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the properties.FolderPath/properties.FileName log field is mapped to the target.file.full_path UDM field. |
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^the , then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^the , then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.AccountDomain |
principal.administrative_domain |
|
properties.RemoteIP |
target.ip |
|
properties.AdditionalFields |
additional.fields[additionalfields] |
|
properties.ProcessCommandLine |
target.process.command_line |
|
properties.RegistryKey |
target.registry.registry_key |
|
properties.RegistryValueData |
target.registry.registry_value_data |
|
properties.RegistryValueName |
target.registry.registry_value_name |
|
properties.CloudPlatform |
principal.resource.attribute.cloud.environment |
If the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Amazon Web Services/, then the principal.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES.Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Google Cloud Platform/, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Azure/, then the principal.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE.Else, the principal.resource.attribute.cloud.environment UDM field is set to UNSPECIFIED_CLOUD_ENVIRONMENT. |
properties.SubscriptionId |
principal.resource.attribute.labels[subscription_id] |
|
properties.CloudResource |
principal.resource.name |
|
properties.ResourceID |
principal.resource.product_object_id |
|
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to CLOUD_PROJECT. |
properties.Categories |
security_result.category_details |
|
properties.Severity |
security_result.severity |
|
properties.Title |
security_result.summary |
|
properties.Title |
security_result.threat_name |
|
properties.Title |
security_result.rule_name |
|
properties.ThreatFamily |
security_result.detection_fields[threat_family] |
|
properties.RemoteUrl |
target.url |
|
properties.EvidenceDirection |
principal.user.attribute.labels[evidence_direction] |
|
properties.EvidenceRole |
principal.user.attribute.labels[evidence_role] |
|
properties.AccountObjectId |
additional.fields[account_object_id] |
|
properties.AccountUpn |
principal.user.user_display_name |
|
properties.AccountName |
principal.user.userid |
|
properties.AccountSid |
principal.user.windows_sid |
|
properties.Timestamp |
metadata.event_timestamp |
|
properties.EntityType |
principal.resource.resource_subtype |
|
properties.AlertId |
metadata.product_log_id |
|
properties.DetectionSource |
security_result.about.resource.attribute.labels[detection_source] |
|
properties.ServiceSource |
security_result.about.resource.attribute.labels[service_source] |
|
properties.AttackTechniques |
security_result.attack_details.techniques.name |
|
properties.ApplicationId |
additional.fields[application_id] |
|
properties.EmailSubject |
network.email.subject |
|
properties.NetworkMessageId |
network.email.mail_id |
|
properties.OAuthApplicationId |
additional.fields[oauth_application_id] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - AlertInfo
The following table lists the log fields for theAlertInfo log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
|
is_alert |
The is_alert UDM field is set to true. |
|
is_significant |
The is_significant UDM field is set to true. |
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.AlertId |
metadata.product_log_id |
|
properties.AttackTechniques |
security_result.attack_details.techniques.name |
|
properties.DetectionSource |
security_result.detection_fields[detection_source] |
|
properties.ServiceSource |
security_result.detection_fields[service_source] |
|
properties.Severity |
security_result.severity |
If the properties.Severity log field value matches the regular expression pattern (?i)(informational), then the security_result.severity UDM field is set to INFORMATIONAL.Else, if the properties.Severity log field value matches the regular expression pattern (?i)(low), then the security_result.severity UDM field is set to LOW.Else, if the properties.Severity log field value matches the regular expression pattern (?i)(medium), then the security_result.severity UDM field is set to MEDIUM.Else, if the properties.Severity log field value matches the regular expression pattern (?i)(high), then the security_result.severity UDM field is set to HIGH. |
properties.Category |
security_result.category_details |
|
properties.Title |
security_result.threat_name |
|
properties.Title |
security_result.rule_name |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceAlertEvents
The following table lists the log fields for theDeviceAlertEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
|
is_alert |
The is_alert UDM field is set to true. |
|
is_significant |
The is_significant UDM field is set to true. |
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_HOST. |
properties.ReportId |
security_result.detection_fields[report_id] |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.MachineGroup |
principal.group.group_display_name |
|
properties.DeviceName |
principal.hostname |
|
properties.AttackTechniques |
security_result.attack_details.techniques.name |
|
properties.Category |
security_result.category_details |
|
properties.AlertId |
metadata.product_log_id |
|
properties.MitreTechniques |
security_result.detection_fields[mitre_techniques] |
|
properties.Severity |
security_result.severity |
If the properties.Severity log field value is equal to High, then the security_result.severity UDM field is set to HIGH.Else, if the properties.Severity log field value is equal to Medium, then the security_result.severity UDM field is set to MEDIUM.Else, if the properties.Severity log field value is equal to Low, then the security_result.severity UDM field is set to LOW.Else, if the properties.Severity log field value is equal to Informational, then the security_result.severity UDM field is set to INFORMATIONAL. |
properties.Title |
security_result.threat_name |
|
properties.Title |
security_result.rule_name |
|
properties.RemoteIp |
target.ip |
|
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.RemoteUrl |
target.url |
|
properties.Table |
additional.fields[table] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileCertificateInfo
The following table lists the log fields for theDeviceFileCertificateInfo log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
properties.ReportId |
metadata.product_log_id |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.SHA1 |
principal.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.Issuer |
principal.file.signature_info.sigcheck.signers.cert_issuer |
|
properties.Signer |
principal.file.signature_info.sigcheck.signers.name |
|
properties.IsSigned |
principal.file.signature_info.sigcheck.verified |
If the properties.IsSigned log field value is equal to true, then the principal.file.signature_info.sigcheck.verified UDM field is set to TRUE.Else, the principal.file.signature_info.sigcheck.verified UDM field is set to FALSE. |
properties.DeviceName |
principal.hostname |
|
properties.CertificateCountersignatureTime |
additional.fields[certificate_countersignature_time] |
|
properties.CertificateSerialNumber |
additional.fields[certificate_serial_number] |
|
properties.CertificateCreationTime |
additional.fields[certification_creation_time] |
|
properties.CertificateExpirationTime |
additional.fields[certification_expiration_time] |
|
properties.CrlDistributionPointUrls |
additional.fields[crl_distribution_point_urls] |
|
properties.IsRootSignerMicrosoft |
additional.fields[is_root_signer_microsoft] |
|
properties.IsTrusted |
additional.fields[is_trusted] |
|
properties.IssuerHash |
additional.fields[issuer_hash] |
|
properties.SignatureType |
additional.fields[signature_type] |
|
properties.SignerHash |
additional.fields[signer_hash] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceImageLoadEvents
The following table lists the log fields for theDeviceImageLoadEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to PROCESS_MODULE_LOAD. |
properties.ReportId |
metadata.product_log_id |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
principal.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{principal.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.FolderPath |
target.process.file.full_path |
If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName, then the properties.FolderPath log field is mapped to the target.process.file.full_path UDM field.Else, the target.process.file.full_pathis set to %{properties.FolderPath}/%{properties.FileName}. |
properties.MD5 |
target.process.file.md5 |
If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.process.file.md5 UDM field. |
properties.FileName |
target.process.file.names |
|
properties.SHA1 |
target.process.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.process.file.sha1 UDM field. |
properties.SHA256 |
target.process.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.process.file.sha256 UDM field. |
properties.FileSize |
target.process.file.size |
|
properties.FolderPath |
target.file.full_path |
If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the target.file.full_pathis set to %{properties.FolderPath}/%{properties.FileName}. |
properties.MD5 |
target.file.md5 |
If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.process.file.md5 UDM field. |
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileEvents
The following table lists the log fields for theDeviceFileEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
properties.ActionType |
metadata.event_type |
If the properties.ActionType log field value is equal to FileCreated, then the metadata.event_type UDM field is set to FILE_CREATION.Else, if the properties.ActionType log field value is equal to FileDeleted, then the metadata.event_type UDM field is set to FILE_DELETION.Else, if the properties.ActionType log field value is equal to FileModified, then the metadata.event_type UDM field is set to FILE_MODIFICATION.Else, if the properties.ActionType log field value is equal to FileRenamed, then the metadata.event_type UDM field is set to FILE_MOVE. |
properties.ReportId |
metadata.product_log_id |
|
properties.RequestProtocol |
network.application_protocol |
If the properties.RequestProtocol log field value is equal to SMB, then the network.application_protocol UDM field is set to SMB.Else, if the properties.RequestProtocol log field value is equal to NFS, then the network.application_protocol UDM field is set to NFS.Else, if the properties.RequestProtocol log field value is equal to Local, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL. |
properties.FileOriginReferrerUrl |
network.http.referral_url |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
If the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the principal.administrative_domain UDM field. |
properties.RequestAccountDomain |
principal.administrative_domain |
If the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.RequestAccountDomain log field is mapped to the principal.administrative_domain UDM field. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.FileOriginIP |
principal.ip |
|
properties.RequestSourceIP |
principal.ip |
|
properties.RequestSourcePort |
principal.port |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.FileOriginUrl |
principal.url |
|
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
If the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the principal.user.userid UDM field. |
properties.RequestAccountName |
principal.user.userid |
If the properties.InitiatingProcessAccountName log field value is empty, then the properties.RequestAccountName log field is mapped to the principal.user.userid UDM field. |
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
If the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the principal.user.windows_sid UDM field. |
properties.RequestAccountSid |
principal.user.windows_sid |
If the properties.InitiatingProcessAccountSid log field value is empty, then the properties.RequestAccountSid log field is mapped to the principal.user.windows_sid UDM field. |
properties.PreviousFolderPath |
src.file.full_path |
If the properties.PreviousFolderPath log field value matches the regular expression pattern the properties.PreviousFileName log field value, then the properties.PreviousFolderPath log field is mapped to the src.file.full_path UDM field.Else, src.file.full_path set to the %{properties.PreviousFolderPath}/%{properties.PreviousFileName}. |
properties.PreviousFileName |
src.file.names |
|
properties.FolderPath |
target.file.full_path |
If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the target.file.full_path set to %{properties.FolderPath}/%{properties.FileName}. |
properties.MD5 |
target.file.md5 |
If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.file.md5 UDM field. |
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.SensitivityLabel |
target.file.tags |
|
properties.SensitivitySubLabel |
target.file.tags |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.IsAzureInfoProtectionApplied |
additional.fields[is_azure_info_protection_applied] |
|
properties.ShareName |
additional.fields[share_name] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceInfo
The following table lists the log fields for theDeviceInfo log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.DeviceId |
entity.asset_id |
The entity.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceId |
entity.asset.asset_id |
The entity.asset.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.AadDeviceId |
entity.asset.attribute.labels[aad_device_id] |
|
properties.AdditionalFields |
entity.asset.attribute.labels[additional_fields] |
|
properties.ConnectivityType |
entity.asset.attribute.labels[connectivity_type] |
|
properties.DeviceDynamicTags |
entity.asset.attribute.labels[device_dynamic_tags] |
|
properties.DeviceManualTags |
entity.asset.attribute.labels[device_manual_tags] |
|
properties.DeviceSubtype |
entity.asset.attribute.labels[device_subtype] |
|
properties.HostDeviceId |
entity.asset.attribute.labels[host_device_id] |
|
properties.IsAzureADJoined |
entity.asset.attribute.labels[is_azure_ad_joined] |
|
properties.IsInternetFacing |
entity.asset.attribute.labels[is_internet_facing] |
|
properties.JoinType |
entity.asset.attribute.labels[join_type] |
|
properties.MergedDeviceIds |
entity.asset.attribute.labels[merged_device_ids] |
|
properties.MergedToDeviceId |
entity.asset.attribute.labels[merged_to_device_id] |
|
properties.OnboardingStatus |
entity.asset.attribute.labels[onboarding_status] |
|
properties.OSArchitecture |
entity.asset.attribute.labels[os_architecture] |
|
properties.OSDistribution |
entity.asset.attribute.labels[os_distribution] |
|
properties.OSVersionInfo |
entity.asset.attribute.labels[os_version_info] |
|
properties.RegistryDeviceTag |
entity.asset.attribute.labels[registry_divice_tag] |
|
properties.ReportId |
entity.asset.attribute.labels[report_id] |
|
properties.SensorHealthState |
entity.asset.attribute.labels[sensor_health_state] |
|
properties.DeviceCategory |
entity.asset.category |
|
properties.Vendor |
entity.asset.hardware.manufacturer |
|
properties.Model |
entity.asset.hardware.model |
|
properties.DeviceName |
entity.asset.hostname |
|
properties.PublicIP |
entity.asset.nat_ip |
|
properties.OSBuild |
entity.asset.platform_software.plateform_patch_level |
|
properties.OSPlatform |
entity.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the entity.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the entity.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the entity.asset.platform_software.platform UDM field is set to LINUX. |
properties.OSVersion |
entity.asset.platform_software.platform_version |
|
properties.ClientVersion |
entity.asset.software.version |
|
properties.DeviceType |
entity.asset.type |
If the properties.DeviceType log field value is equal to NetworkDevice, then the entity.asset.type UDM field is set to NETWORK_ATTACHED_STORAGE.Else, if the properties.DeviceType log field value is equal to Workstation, then the entity.asset.type UDM field is set to WORKSTATION.Else, if the properties.DeviceType log field value is equal to Server, then the entity.asset.type UDM field is set to SERVER.Else, if the properties.DeviceType log field value is equal to Mobile, then the entity.asset.type UDM field is set to MOBILE.Else if the properties.DeviceType log field value is equal to Printer, then the entity.asset.type UDM field is set to PRINTER. |
properties.DeviceType |
entity.asset.attribute.labels |
if the properties.DeviceType log field value is equal to GamingConsole, then the properties.DeviceType log field is mapped to the entity.asset.attribute.labels UDM field. |
properties.MachineGroup |
entity.group.group_display_name |
|
properties.ExclusionReason |
entity.security_result.detection_fields[exclusion_reason] |
|
properties.ExposureLevel |
entity.security_result.detection_fields[exposure_level] |
|
properties.IsExcluded |
entity.security_result.detection_fields[is_excluded] |
|
properties.AssetValue |
entity.security_result.priority |
If the properties.AssetValue log field value is equal to High, then the entity.security_result.priority UDM field is set to HIGH_PRIORITY.Else, if the properties.AssetValue log field value is equal to Medium, then the entity.security_result.priority UDM field is set to MEDIUM_PRIORITY.Else, if the properties.AssetValue log field value is equal to Low, then the entity.security_result.priority UDM field is set to LOW_PRIORITY.Else, the properties.AssetValue log field is mapped to the entity.security_result.detection_fields.asset_value UDM field. |
properties.Timestamp |
metadata.creation_timestamp |
|
|
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET. |
properties.DeviceId |
metadata.product_entity_id |
The metadata.product_entity_id is set to DeviceID:%{properties.DeviceId}. |
|
relations.direction |
The relations.direction UDM field is set to UNIDIRECTIONAL. |
|
relations.entity_type |
The relations.entity_type UDM field is set to USER. |
|
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
properties.LoggedOnUsers.DomainName |
relations.entity.domain.name |
|
properties.LoggedOnUsers.UserName |
relations.entity.user.userid |
|
properties.LoggedOnUsers.Sid |
relations.entity.user.windows_sid |
|
properties.LoggedOnUsers |
|
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceIdentityLogonEvents
The following table lists the log fields for theDeviceIdentityLogonEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Application |
additional.fields[application] |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_HOST. |
properties.DeviceId |
principal.asset_id |
If the properties.DeviceId log field value is not empty, then the AssetID:properties.DeviceId log field is mapped to the principal.asset_id UDM field. else, then the AssetID:properties.AdditionalFields.MachineId log field is mapped to the principal.asset_id UDM field. |
properties.DeviceName |
principal.hostname |
If the properties.DeviceName log field value is not empty, then the properties.DeviceName log field is mapped to the principal.hostname UDM field. |
properties.LocalIP |
principal.asset.ip |
If the properties.LocalIP log field value is not empty, then the properties.LocalIP log field is mapped to the principal.asset.ip UDM field. |
properties.FolderPath |
target.file.full_path |
If the properties.FileName log field value matches the regular expression pattern the properties.FolderPath, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the properties.FolderPath/properties.FileName log field is mapped to the target.file.full_path UDM field. |
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^the , then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^the , then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.AccountDomain |
principal.administrative_domain |
|
properties.RemoteIP |
target.ip |
|
properties.AdditionalFields |
additional.fields[additionalfields] |
|
properties.ProcessCommandLine |
target.process.command_line |
|
properties.RegistryKey |
target.registry.registry_key |
|
properties.RegistryValueData |
target.registry.registry_value_data |
|
properties.RegistryValueName |
target.registry.registry_value_name |
|
properties.CloudPlatform |
principal.resource.attribute.cloud.environment |
If the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Amazon Web Services/, then the principal.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES.Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Google Cloud Platform/, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Azure/, then the principal.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE.Else, the principal.resource.attribute.cloud.environment UDM field is set to UNSPECIFIED_CLOUD_ENVIRONMENT. |
properties.SubscriptionId |
principal.resource.attribute.labels[subscription_id] |
|
properties.CloudResource |
principal.resource.name |
|
properties.ResourceID |
principal.resource.product_object_id |
|
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to CLOUD_PROJECT. |
properties.Categories |
security_result.category_details |
|
properties.Severity |
security_result.severity |
|
properties.Title |
security_result.summary |
|
properties.ThreatFamily |
security_result.threat_name |
|
properties.RemoteUrl |
target.url |
|
properties.EvidenceDirection |
principal.user.attribute.labels[evidence_direction] |
|
properties.EvidenceRole |
principal.user.attribute.labels[evidence_role] |
|
properties.AccountObjectId |
additional.fields[account_object_id] |
|
properties.AccountUpn |
principal.user.user_display_name |
|
properties.AccountName |
principal.user.userid |
|
properties.AccountSid |
principal.user.windows_sid |
|
properties.Timestamp |
metadata.event_timestamp |
|
properties.EntityType |
principal.resource.resource_subtype |
|
properties.AlertId |
metadata.product_log_id |
|
properties.DetectionSource |
security_result.about.resource.attribute.labels[detection_source] |
|
properties.ServiceSource |
security_result.about.resource.attribute.labels[service_source] |
|
properties.AttackTechniques |
security_result.attack_details.techniques.name |
|
properties.ApplicationId |
additional.fields[application_id] |
|
properties.EmailSubject |
network.email.subject |
|
properties.NetworkMessageId |
network.email.mail_id |
|
properties.OAuthApplicationId |
additional.fields[oauth_application_id] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceLogonEvents
The following table lists the log fields for theDeviceLogonEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.LogonType |
extensions.auth.mechanism |
If the properties.LogonType log field value is equal to Interactive, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.Else, if the properties.LogonType log field value is equal to Network, then the extensions.auth.mechanism UDM field is set to NETWORK.Else, if the properties.LogonType log field value is equal to Batch, then the extensions.auth.mechanism UDM field is set to BATCH.Else, if the properties.LogonType log field value is equal to Service, then the extensions.auth.mechanism UDM field is set to SERVICE.Else, if the properties.LogonType log field value is equal to RemoteInteractive, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE. |
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN. |
properties.ReportId |
metadata.product_log_id |
|
properties.Protocol |
network.ip_protocol |
If the properties.Protocol log field value is equal to Tcp, then the network.ip_protocol UDM field is set to TCP.If the properties.Protocol log field value is equal to Udp, then the network.ip_protocol UDM field is set to UDP.If the properties.Protocol log field value is equal to Icmp, then the network.ip_protocol UDM field is set to ICMP. |
properties.LogonId |
network.session_id |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.FailureReason |
security_result.description |
|
properties.AccountDomain |
target.administrative_domain |
|
properties.RemoteDeviceName |
target.hostname |
|
properties.RemoteIP |
target.ip |
|
properties.RemotePort |
target.port |
|
properties.IsLocalAdmin |
target.resource.attribute.labels[is_local_admin] |
|
properties.AccountName |
target.user.userid |
|
properties.AccountSid |
target.user.windows_sid |
|
properties.RemoteIPType |
additional.fields[remote_ip_type] |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkEvents
The following table lists the log fields for theDeviceNetworkEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION. |
properties.ReportId |
metadata.product_log_id |
|
properties.Protocol |
network.ip_protocol |
If the properties.Protocol log field value is equal to Tcp, then the network.ip_protocol UDM field is set to TCP.Else, if the properties.Protocol log field value is equal to Udp, then the network.ip_protocol UDM field is set to UDP.Else, if the properties.Protocol log field value is equal to Icmp, then the network.ip_protocol UDM field is set to ICMP. |
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.LocalIP |
principal.ip |
|
properties.LocalPort |
principal.port |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.RemoteIP |
target.ip |
|
properties.RemotePort |
target.port |
|
properties.RemoteUrl |
target.url |
|
properties.LocalIPType |
additional_fields[LocalIPType] |
|
properties.RemoteIPType |
additional_fields[RemoteIPType] |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkInfo
The following table lists the log fields for theDeviceNetworkInfo log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
DeviceNetworkInfo |
|
|
properties.DeviceId |
entity.asset_id |
The entity.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceId |
entity.asset.asset_id |
The entity.asset.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.ReportId |
entity.asset.attribute.labels[report_id] |
|
properties.ConnectedNetworks |
entity.asset.attribute.labels[connected_networks] |
|
properties.MacAddress |
entity.asset.mac |
|
properties.NetworkAdapterName |
entity.asset.attribute.labels[network_adapter_name] |
|
properties.NetworkAdapterStatus |
entity.asset.attribute.labels[network_adapter_status] |
|
properties.NetworkAdapterType |
entity.asset.attribute.labels[network_adapter_type] |
|
properties.NetworkAdapterVendor |
entity.asset.attribute.labels[network_adapter_vendor] |
|
properties.TunnelType |
entity.asset.attribute.labels[tunnel_type] |
|
properties.DefaultGateways |
entity.asset.attribute.labels[default_gateways] |
|
properties.DeviceName |
entity.asset.hostname |
|
properties.IPAddresses |
entity.asset.ip |
|
|
entity.asset.type |
The entity.asset.type UDM field is set to WORKSTATION. |
properties.DnsAddresses |
entity.domain.last_dns_records.type |
The entity.domain.last_dns_records.type UDM field is set to ip_address. |
properties.DnsAddresses |
entity.domain.last_dns_records.value |
The properties.DnsAddresses log field is mapped to the entity.domain.last_dns_records.value UDM field. |
properties.IPv4Dhcp |
entity.network.dhcp.ciaddr |
If the properties.IPv4Dhcp log field value is not empty, then the properties.IPv4Dhcp log field is mapped to the entity.network.dhcp.ciaddr UDM field. Else, the properties.IPv6Dhcp log field is mapped to the entity.network.dhcp.ciaddr UDM field. |
properties.Timestamp |
metadata.creation_time |
|
|
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET. |
properties.DeviceId |
metadata.product_entity_id |
The metadata.product_entity_id is set to DeviceID:%{properties.DeviceId}. |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceProcessEvents
The following table lists the log fields for theDeviceProcessEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
properties.ActionType |
metadata.event_type |
If the properties.ActionType log field value matches the regular expression pattern (?i)ProcessCreated, then the metadata.event_type UDM field is set to PROCESS_LAUNCH.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)OpenProcess, then the metadata.event_type UDM field is set to PROCESS_OPEN. |
properties.ReportId |
metadata.product_log_id |
|
properties.LogonId |
network.session_id |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessSignatureStatus |
principal.process.file.signature_info.sigcheck.signers.status |
|
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3 |
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.AccountDomain |
target.administrative_domain |
|
properties.FolderPath |
target.file.full_path |
If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the target.file.full_path set to %{properties.FolderPath}/%{properties.FileName}. |
properties.MD5 |
target.process.file.md5 |
If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.file.md5 UDM field. |
properties.FileName |
target.process.file.names |
|
properties.SHA1 |
target.process.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.process.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.process.file.size |
|
properties.ProcessCommandLine |
target.process.command_line |
|
properties.ProcessId |
target.process.pid |
|
properties.ProcessTokenElevation |
target.process.token_elevation_type |
If the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the target.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the target.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the target.process.token_elevation_type UDM field is set to TYPE_3. |
properties.ProcessIntegrityLevel |
target.resource.attribute.labels[process_integrity_level] |
|
properties.AccountUpn |
target.user.user_display_name |
|
properties.AccountName |
target.user.userid |
|
properties.AccountSid |
target.user.windows_sid |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.AccountObjectId |
additional.fields[account_object_id] |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessLogonId |
additional.fields[initiating_process_logon_id] |
|
properties.InitiatingProcessSignerType |
additional.fields[initiating_process_signer_type] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
|
properties.ProcessCreationTime |
additional.fields[process_creation_time] |
|
properties.ProcessVersionInfoCompanyName |
target.process.file.exif_info.company |
|
properties.ProcessVersionInfoFileDescription |
target.process.file.exif_info.file_description |
|
properties.ProcessVersionInfoInternalFileName |
additional.fields[process_version_info_internal_file_name] |
|
properties.ProcessVersionInfoOriginalFileName |
target.process.file.exif_info.original_file |
|
properties.ProcessVersionInfoProductName |
target.process.file.exif_info.product |
|
properties.ProcessVersionInfoProductVersion |
additional.fields[process_version_info_product_version] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGathering
The following table lists the log fields for theDeviceTvmInfoGathering log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_HOST. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.OSPlatform |
principal.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
properties.OSPlatform |
principal.asset.platform_software.platform_version |
|
properties.DeviceName |
principal.hostname |
|
properties.LastSeenTime |
security.result.last_discovered_time |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceRegistryEvents
The following table lists the log fields for theDeviceRegistryEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
properties.ActionType |
metadata.event_type |
If the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyCreated, then the metadata.event_type UDM field is set to REGISTRY_CREATION.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyDeleted, then the metadata.event_type UDM field is set to REGISTRY_DELETION.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyRenamed, then the metadata.event_type UDM field is set to REGISTRY_MODIFICATION.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryValueDeleted, then the metadata.event_type UDM field is set to REGISTRY_DELETION.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryValueSet, then the metadata.event_type UDM field is set to REGISTRY_MODIFICATION.Else, the metadata.event_type UDM field is set to REGISTRY_UNCATEGORIZED. |
properties.ReportId |
metadata.product_log_id |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.PreviousRegistryValueData |
principal.registry.registry_value_data |
|
properties.PreviousRegistryKey |
principal.registry.registry_key |
|
properties.PreviousRegistryValueName |
principal.registry.registry_value_name |
|
properties.InitiatingProcessAccountObjectId |
principal.user.attribute.labels[initiating_process_account_object_id] |
|
properties.InitiatingProcessAccountUpn |
principal.user.attribute.labels[initiating_process_account_upn] |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.RegistryValueData |
target.registry.registry_value_data |
|
properties.RegistryKey |
target.registry.registry_key |
|
properties.RegistryValueName |
target.registry.registry_value_name |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
|
properties.RegistryValueType |
additional.fields[registry_value_type] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGatheringKB
The following table lists the log fields for theDeviceTvmInfoGatheringKB log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Description |
metadata.description |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.IgId |
metadata.product_log_id |
|
properties.Categories |
principal.resource.attribute.labels[categories] |
|
properties.DataStructure |
principal.resource.attribute.labels[data_structure] |
|
properties.FieldName |
principal.resource.name |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessment
The following table lists the log fields for theDeviceTvmSecureConfigurationAssessment log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.OSPlatform |
principal.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the prinipal.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
properties.DeviceName |
principal.hostname |
|
properties.ConfigurationCategory |
principal.resource.attribute.labels[configuration_category] |
|
properties.ConfigurationImpact |
principal.resource.attribute.labels[configuration_impact] |
|
properties.Context |
principal.resource.attribute.labels[contex] |
|
properties.IsApplicable |
principal.resource.attribute.labels[is_applicable] |
|
properties.IsCompliant |
principal.resource.attribute.labels[is_compliant] |
|
properties.IsExpectedUserImpact |
principal.resource.attribute.labels[is_expected_user_impact] |
|
properties.ConfigurationId |
principal.resource.product_object_id |
|
properties.ConfigurationSubcategory |
principal.resource.resource_subtype |
|
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to ACCESS_POLICY. |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessmentKB
The following table lists the log fields for theDeviceTvmSecureConfigurationAssessmentKB log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.ConfigurationBenchmarks |
principal.resource.attribute.labels[configuration_benchmarks] |
|
properties.ConfigurationCategory |
principal.resource.attribute.labels[configuration_category] |
|
properties.ConfigurationDescription |
principal.resource.attribute.labels[configuration_description] |
|
properties.ConfigurationImpact |
principal.resource.attribute.labels[configuration_impact] |
|
properties.RemediationOptions |
principal.resource.attribute.labels[remediation_options] |
|
properties.RiskDescription |
principal.resource.attribute.labels[risk_description] |
|
properties.Tags |
principal.resource.attribute.labels[tags] |
|
properties.ConfigurationName |
principal.resource.name |
|
properties.ConfigurationId |
principal.resource.product_object_id |
|
properties.ConfigurationSubcategory |
principal.resource.resource_subtype |
|
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to ACCESS_POLICY. |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareEvidenceBeta
The following table lists the log fields for theDeviceTvmSoftwareEvidenceBeta log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DiskPaths |
principal.asset.attribute.labels[disk_paths] |
The properties.DiskPaths log field is mapped to the principal.asset.attribute.labels.disk_paths UDM field. |
properties.RegistryPaths |
principal.asset.attribute.labels[registry_paths] |
The properties.RegistryPaths log field is mapped to the principal.asset.attribute.labels.registry_paths UDM field. |
properties.LastSeenTime |
principal.asset.last_discover_time |
|
properties.SoftwareName |
principal.asset.software.name |
|
properties.SoftwareVendor |
principal.asset.software.vendor_name |
|
properties.SoftwareVersion |
principal.asset.software.version |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareInventory
The following table lists the log fields for theDeviceTvmSoftwareInventory log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.EndOfSupportDate |
principal.asset.attribute.labels[end_of_support_date] |
|
properties.EndOfSupportStatus |
principal.asset.attribute.labels[end_of_support_status] |
|
properties.OSArchitecture |
principal.asset.attribute.labels[os_architecture] |
|
properties.ProductCodeCpe |
principal.asset.attribute.labels[product_code_cpe] |
|
properties.OSPlatform |
principal.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the prinipal.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
properties.OSVersion |
principal.asset.platform_software.platform_version |
|
properties.SoftwareName |
principal.asset.software.name |
|
properties.SoftwareVendor |
principal.asset.software.vendor_name |
|
properties.SoftwareVersion |
principal.asset.software.version |
|
properties.DeviceName |
principal.hostname |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilities
The following table lists the log fields for theDeviceTvmSoftwareVulnerabilities log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.CveId |
extensions.vulns.vulnerabilities.cve_id |
|
properties.VulnerabilityLevel |
extensions.vulns.vulnerabilities.severity |
If the properties.VulnerabilityLevel log field value is equal to High, then the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH.Else, if the properties.VulnerabilityLevel log field value is equal to Medium, then the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM.Else, if the properties.VulnerabilityLevel log field value is equal to Low, then the extensions.vulns.vulnerabilities.severity UDM field is set to LOW.Else, if the properties.VulnerabilityLevel log field value is equal to Informational, then the extensions.vulns.vulnerabilities.severity UDM field is set to INFORMATIONAL. |
properties.SeverityLevel |
extensions.vulns.vulnerablitities.severity_details |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_VULN_HOST. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.OSPlatform |
principal.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
properties.OSVersion |
principal.asset.platform_software.platform_version |
|
properties.SoftwareName |
principal.asset.software.name |
|
properties.SoftwareVendor |
principal.asset.software.vendor_name |
|
properties.SoftwareVersion |
principal.asset.software.version |
|
properties.DeviceName |
principal.hostname |
|
properties.RecommendedSecurityUpdateId |
security_result.detection_fields[recommended_security_update_id] |
|
properties.RecommendedSecurityUpdate |
security_result.detection_fields[recommended_security_update] |
|
properties.CveTags |
additional.fields[cve_tags] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilitiesKB
The following table lists the log fields for theDeviceTvmSoftwareVulnerabilitiesKB log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.CveId |
extensions.vulns.vulnerabilities.cve_id |
|
properties.CvssScore |
extensions.vulns.vulnerablities.cvss_base_score |
|
properties.IsExploitAvailable |
extensions.vulns.vulnerablities.cvss_vector |
|
properties.VulnerabilitySeverityLevel |
extensions.vulns.vulnerabilities.severity |
If the properties.VulnerabilitySeverityLevel log field value is equal to High, then the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH.Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Medium, then the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM.Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Low, then the extensions.vulns.vulnerabilities.severity UDM field is set to LOW.Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Informational, then the extensions.vulns.vulnerabilities.severity UDM field is set to INFORMATIONAL.Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
properties.VulnerabilitySeverityLevel |
extensions.vulns.vulnerablitities.severity_details |
|
properties.LastModifiedTime |
extensions.vulns.vulnerabilities.scan_end_time |
|
properties.PublishedDate |
extensions.vulns.vulnerabilities.first_found |
|
properties.VulnerabilityDescription |
extensions.vulns.vulnerabilities.cve_description |
|
properties.AffectedSoftware |
extensions.vulns.vulnerabilities.description |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailAttachmentInfo
The following table lists the log fields for theEmailAttachmentInfo log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.FileType |
target.file.mime_type |
|
properties.FileName |
target.file.names |
|
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to EMAIL_TRANSACTION. |
properties.ReportId |
metadata.product_log_id |
|
properties.SenderFromAddress |
network.email.from |
If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the network.email.from UDM field. |
properties.NetworkMessageId |
network.email.mail_id |
|
properties.RecipientEmailAddress |
network.email.to |
If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the network.email.to UDM field. |
properties.SenderFromAddress |
principal.user.email_addresses |
If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the principal.user.email_addresses UDM field. |
properties.SenderObjectId |
principal.user.product_object_id |
|
properties.SenderDisplayName |
principal.user.user_display_name |
|
properties.ThreatTypes |
security_result.category |
If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING. |
properties.DetectionMethods |
security_result.detection_fields[detection_methods] |
|
properties.ThreatNames |
security_result.threat_name |
|
properties.RecipientEmailAddress |
target.user.email_addresses |
If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field. |
properties.RecipientObjectId |
target.user.product_object_id |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailEvents
The following table lists the log fields for theEmailEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to EMAIL_TRANSACTION. |
properties.ReportId |
metadata.product_log_id |
|
properties.EmailDirection |
network.direction |
If the properties.EmailDirection log field value is equal to Inbound, then the network.direction UDM field is set to INBOUND.Else, if the properties.EmailDirection log field value is equal to Outbound, then the network.direction UDM field is set to OUTBOUND.Else, the network.direction UDM field is set to UNKNOWN_DIRECTION. |
properties.NetworkMessageId |
network.email.mail_id |
|
properties.Subject |
network.email.subject |
|
properties.RecipientEmailAddress |
network.email.to |
|
properties.SenderFromDomain |
principal.administrative_domain |
|
properties.SenderIPv4 |
principal.ip |
|
properties.SenderIPv6 |
principal.ip |
|
properties.SenderMailFromAddress |
principal.user.attribute.labels[sender_mail_from_address] |
|
properties.SenderFromAddress |
principal.user.email_addresses |
If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the principal.user.email_addresses UDM field. |
properties.SenderMailFromDomain |
principal.user.attribute.labels[sender_mail_from_domain] |
|
properties.SenderObjectId |
principal.user.product_object_id |
|
properties.SenderDisplayName |
principal.user.user_display_name |
|
properties.ThreatTypes |
security_result.category |
If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING. |
properties.ThreatTypes |
security_result.category_details |
|
properties.ConfidenceLevel |
security_result.confidence_details |
|
properties.EmailAction |
security_result.description |
|
properties.AuthenticationDetails |
security_result.detection_fields[authentication_details] |
|
properties.BulkComplaintLevel |
security_result.detection_fields[bulk_complaint_level] |
|
properties.DetectionMethods |
security_result.detection_fields[detection_methods] |
|
properties.EmailActionPolicyGuid |
security_result.rule_id |
|
properties.EmailActionPolicy |
security_result.rule_name |
|
properties.ThreatNames |
security_result.threat_name |
|
properties.OrgLevelAction |
security_result.rule_labels[org_level_action] |
|
properties.OrgLevelPolicy |
security_result.rule_labels[org_level_policy] |
|
properties.UserLevelAction |
security_result.rule_labels[user_level_action] |
|
properties.UserLevelPolicy |
security_result.rule_labels[user_level_policy] |
|
properties.RecipientEmailAddress |
target.user.email_addresses |
If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field. |
properties.RecipientObjectId |
target.user.product_object_id |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.DeliveryAction |
additional.fields[delivery_action] |
|
properties.DeliveryLocation |
additional.fields[delivery_location] |
The properties.DeliveryLocation log field is mapped to the additional.fields.delivery_location UDM field. |
properties.EmailClusterId |
additional.fields[email_cluster_id] |
|
properties.EmailLanguage |
additional.fields[email_language] |
|
properties.InternetMessageId |
additional.fields[internet_message_id] |
|
properties.LatestDeliveryLocation |
additional.fields[last_delivery_location] |
|
properties.UrlCount |
additional.fields[connectors] |
|
properties.Connectors |
additional.fields[attachment_count] |
|
properties.AttachmentCount |
additional.fields[latest_delivery_action] |
|
properties.LatestDeliveryAction |
additional.fields[latest_delivery_action] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailPostDeliveryEvents
The following table lists the log fields for theEmailPostDeliveryEvents log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to EMAIL_UNCATEGORIZED. |
properties.ReportId |
security_result.detection_fields[report_id] |
|
properties.NetworkMessageId |
network.email.mail_id |
|
properties.ActionResult |
security_result.summary |
|
properties.ThreatTypes |
security_result.category |
If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING. |
properties.ThreatTypes |
security_result.category_details |
|
properties.ActionTrigger |
security_result.detection_fields[action_trigger] |
|
properties.DeliveryLocation |
security_result.detection_fields[delivery_location] |
|
properties.DetectionMethods |
security_result.detection_fields[detection_methods] |
|
properties.Action |
security_result.action_details |
|
properties.ActionType |
security_result.verdict_info.verdict_type |
If the properties.ActionType log field value is equal to Manual Remediation, then the security_result.verdict_info.verdict_type UDM field is set to ANALYST_VERDICT.Else, if the properties.ActionType log field contains one of the following values, then the security_result.verdict_info.verdict_type UDM field is set to PROVIDER_ML_VERDICT.
|
properties.RecipientEmailAddress |
target.user.email_addresses |
If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field. |
properties.InternetMessageId |
additional.fields[internet_message_id] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailUrlInfo
The following table lists the log fields for theEmailUrlInfo log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.UrlDomain |
target.hostname |
|
properties.Url |
target.url |
|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to EMAIL_TRANSACTION. |
properties.ReportId |
metadata.product_log_id |
|
properties.NetworkMessageId |
network.email.mail_id |
|
properties.UrlLocation |
additional.fields[url_location] |
Field mapping reference: MICROSOFT DEFENDER ENDPOINT - IdentityInfo
The following table lists the log fields for theIdentityInfo log type and their corresponding UDM fields:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.SourceSystem |
entity.resource.parent |
|
properties.AccountDomain |
entity.administrative_domain |
|
properties.TenantId |
entity.resource.product_object_id |
|
properties.CreatedDateTime |
entity.user.attribute.creation_time |
|
properties.AccountUpn |
entity.user.attribute.labels[account_upn] |
|
properties.ChangeSource |
entity.user.attribute.labels[change_source] |
|
properties.CloudSid |
entity.user.attribute.labels[cloud_sid] |
|
properties.ReportId |
entity.user.attribute.labels[report_id] |
|
properties.SipProxyAddress |
entity.user.attribute.labels[sip_proxy_address] |
|
properties.SourceProvider |
entity.user.attribute.labels[source_provider] |
|
properties.Tags |
entity.user.attribute.labels[tags] |
|
properties.Type |
entity.user.attribute.role.name |
|
properties.DistinguishedName |
entity.user.attributes.labels[distinguished_name] |
|
properties.Department |
entity.user.department |
|
properties.EmailAddress |
entity.user.email_addresses |
If the properties.EmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.EmailAddress log field is mapped to the entity.user.email_addresses UDM field. |
properties.GivenName |
entity.user.first_name |
|
properties.Surname |
entity.user.last_name |
|
properties.Manager |
entity.user.managers.user_display_name |
|
properties.City |
entity.user.personal_address.city |
|
properties.Country |
entity.user.personal_address.country_or_region |
|
properties.Address |
entity.user.personal_address.name |
|
properties.Phone |
entity.user.phone_numbers |
|
properties.AccountObjectId |
entity.user.product_object_id |
|
properties.AssignedRoles |
entity.user.role_description |
|
properties.JobTitle |
entity.user.title |
|
properties.IsAccountEnabled |
entity.user.user_authentication_status |
If the properties.IsAccountEnabled log field value is equal to 1, then the entity.user.user_authentication_status UDM field is set to ACTIVE.Else, the entity.user.user_authentication_status UDM field is set to SUSPENDED. |
properties.AccountDisplayName |
entity.user.user_display_name |
|
properties.AccountName |
entity.user.userid |
|
properties.OnPremSid |
entity.user.attribute.labels[on_prem_sid] |
|
properties.Timestamp |
metadata.creation_time |
|
|
metadata.entity_type |
The metadata.entity_type UDM field is set to USER. |
properties.AccountObjectId |
metadata.product_entity_id |