Collect Microsoft Defender for Endpoint logs

Supported in:

This document describes how you can collect Microsoft Defender for Endpoint logs by setting up a Google Security Operations feed and how log fields map to Google SecOps unified data model (UDM) fields.

For more information, see Data ingestion to Google SecOps.

A typical deployment consists of Microsoft Defender for Endpoint and the Google SecOps feed configured to send logs to Google SecOps. Your deployment might be different from the typical deployment that is described in this document. The deployment contains the following components:

  • Microsoft Defender for Endpoint: the platform that collects logs.

  • Azure Storage: the platform that stores logs.

  • Google SecOps feed: the Google SecOps feed that fetches logs from Microsoft Defender for Endpoint and writes logs to Google SecOps.

  • Google SecOps: the platform that retains and analyzes the logs from Microsoft Defender for Endpoint.

An ingestion label identifies the parser that normalizes raw log data to structured UDM format. The information in this document applies to the parser with the MICROSOFT_DEFENDER_ENDPOINT ingestion label.

Before you begin

Set up Microsoft Defender for Endpoint

  1. Sign in to security.microsoft.com as a global administrator or security administrator.
  2. In the left pane, click Settings.
  3. Select the Microsoft Defender XDR tab.
  4. Select Streaming API from the general section and click Add.
  5. Select Forward events to Azure Storage.
  6. Navigate to the storage account of your choice.
  7. Select Overview > JSON View and enter the Resource ID.
  8. After you enter the resource ID, select all the required data types.
  9. Click Save.

Configure a feed in Google SecOps to ingest Microsoft Defender for Endpoint logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, MS Defender Logs).
  4. Select Microsoft Azure Blob Storage as the Source Type.
  5. Select Microsoft Defender for Endpoint as the Log type.
  6. Click Next
  7. Configure the following input parameters:
    • Azure URI: the URI pointing to an Azure Blob Storage blob or container.
    • URI is a: the type of object indicated by the URI.
    • Source deletion option: whether to delete files or directories after transferring.
    • Select Shared key or SAS token.
    • Key/Token: the shared key or SAS token to access Azure resources.
  8. Click Next and then Submit.

If you encounter issues when you ingest Microsoft Defender for Endpoint logs, contact Google SecOps support.

Supported Microsoft Defender for Endpoint log types

The Microsoft Defender for Endpoint parser supports the following tables:

  • AlertEvidence
  • AlertInfo
  • DeviceAlertEvents
  • DeviceEvents
  • DeviceFileCertificateInfo
  • DeviceFileEvents
  • DeviceImageLoadEvents
  • DeviceInfo
  • DeviceLogonEvents
  • DeviceNetworkEvents
  • DeviceNetworkInfo
  • DeviceProcessEvents
  • DeviceRegistryEvents
  • DeviceTvmInfoGathering
  • DeviceTvmInfoGatheringKB
  • DeviceTvmSecureConfigurationAssessment
  • DeviceTvmSecureConfigurationAssessmentKB
  • DeviceTvmSoftwareEvidenceBeta
  • DeviceTvmSoftwareInventory
  • DeviceTvmSoftwareVulnerabilities
  • DeviceTvmSoftwareVulnerabilitiesKB
  • EmailAttachmentInfo
  • EmailEvents
  • EmailPostDeliveryEvents
  • EmailUrlInfo
  • IdentityInfo

Field mapping reference

This section explains how the Google Security Operations parser maps Microsoft Defender for Endpoint fields to Google Security Operations UDM fields.

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Event Model

The following table lists the common log fields for the MICROSOFT_DEFENDER_ENDPOINT log type and their corresponding UDM fields.

Common log field UDM mapping Logic
time metadata.collected_timestamp
category metadata.product_event_type
metadata.product_name The metadata.product_name UDM field is set to Microsoft Defender for Endpoint.
metadata.vendor_name The metadata.vendor_name UDM field is set to Microsoft.
Tenant observer.resource_ancestors.name
tenantId observer.resource_ancestors.product_object_id
operationName additional.fields[operation_name]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Entity Model

The following table lists the common log fields for the MICROSOFT_DEFENDER_ENDPOINT log type and their corresponding UDM fields.

Common log field UDM mapping Logic
metadata.vendor_name The metadata.vendor_name UDM field is set to Microsoft.
metadata.product_name The metadata.product_name UDM field is set to Microsoft Defender for Endpoint.
time metadata.collected_timestamp
tenantId relations.entity.resource.product_object_id
operationName additional.fields[operation_name]
category metadata.description
Tenant relations.entity.resource.name
relations.entity_type The relations.entity_type UDM field is set to RESOURCE.
relations.relationship The relations.relationship UDM field is set to MEMBER.
relations.direction The relations.direction UDM field is set to UNIDIRECTIONAL.

Field mapping reference: DeviceEvents Event Identifier to Event Type

The following table lists the DeviceEvents log action types and their corresponding UDM event types.

Event Identifier Event Type
UsbDriveDriveLetterChanged DEVICE_CONFIG_UPDATE
AppControlAppInstallationAudited SCAN_HOST
AsrExecutableOfficeContentAudited SCAN_HOST
ShellLinkCreateFileEvent FILE_CREATION
FileTimestampModificationEvent FILE_MODIFICATION
PlistPropertyModified FILE_MODIFICATION
SensitiveFileRead FILE_READ
AsrUntrustedExecutableAudited SCAN_HOST
AsrUntrustedExecutableBlocked SCAN_HOST
DlpPocPrintJob FILE_UNCATEGORIZED
RemovableStorageFileEvent FILE_UNCATEGORIZED
DpapiAccessed GENERIC_EVENT
ScreenshotTaken GENERIC_EVENT
SecurityGroupCreated GROUP_CREATION
SecurityGroupDeleted GROUP_DELETION
UserAccountAddedToLocalGroup GROUP_MODIFICATION
UserAccountRemovedFromLocalGroup GROUP_MODIFICATION
ExploitGuardNetworkProtectionAudited SCAN_HOST
ExploitGuardNetworkProtectionBlocked SCAN_HOST
FirewallInboundConnectionBlocked NETWORK_CONNECTION
FirewallInboundConnectionToAppBlocked NETWORK_CONNECTION
FirewallOutboundConnectionBlocked NETWORK_CONNECTION
RemoteDesktopConnection NETWORK_CONNECTION
RemoteWmiOperation NETWORK_CONNECTION
UntrustedWifiConnection NETWORK_CONNECTION
DnsQueryRequest NETWORK_DNS
DnsQueryResponse NETWORK_DNS
NetworkShareObjectAdded NETWORK_UNCATEGORIZED
AppGuardBrowseToUrl SCAN_HOST
BrowserLaunchedToOpenUrl NETWORK_UNCATEGORIZED
NetworkProtectionUserBypassEvent NETWORK_UNCATEGORIZED
NetworkShareObjectAccessChecked NETWORK_UNCATEGORIZED
NetworkShareObjectDeleted NETWORK_UNCATEGORIZED
NetworkShareObjectModified NETWORK_UNCATEGORIZED
AsrOfficeProcessInjectionAudited SCAN_HOST
AppGuardCreateContainer SCAN_HOST
AppGuardLaunchedWithUrl SCAN_HOST
AsrAdobeReaderChildProcessAudited SCAN_HOST
AsrAdobeReaderChildProcessBlocked SCAN_HOST
AsrExecutableEmailContentAudited SCAN_HOST
AsrOfficeChildProcessAudited SCAN_HOST
AsrOfficeCommAppChildProcessAudited SCAN_HOST
AsrPsexecWmiChildProcessAudited SCAN_HOST
AsrScriptExecutableDownloadAudited SCAN_HOST
AsrUntrustedUsbProcessAudited SCAN_HOST
ExploitGuardChildProcessAudited SCAN_HOST
ExploitGuardLowIntegrityImageAudited SCAN_HOST
PowerShellCommand PROCESS_LAUNCH
ProcessCreatedUsingWmiQuery PROCESS_LAUNCH
QueueUserApcRemoteApiCall PROCESS_LAUNCH
GetClipboardData STATUS_UPDATE
OpenProcessApiCall PROCESS_OPEN
ScriptContent PROCESS_LAUNCH
AppControlAppInstallationBlocked SCAN_HOST
AppGuardSuspendContainer SCAN_HOST
AppGuardStopContainer SCAN_HOST
AppLockerBlockExecutable PROCESS_UNCATEGORIZED
AsrObfuscatedScriptAudited SCAN_HOST
AsrObfuscatedScriptBlocked SCAN_HOST
AsrOfficeChildProcessBlocked SCAN_HOST
AsrOfficeProcessInjectionBlocked SCAN_HOST
AsrPsexecWmiChildProcessBlocked SCAN_HOST
AsrScriptExecutableDownloadBlocked SCAN_HOST
AsrUntrustedUsbProcessBlocked SCAN_HOST
ExploitGuardChildProcessBlocked SCAN_HOST
ExploitGuardLowIntegrityImageBlocked SCAN_HOST
ExploitGuardSharedBinaryAudited SCAN_HOST
ExploitGuardSharedBinaryBlocked SCAN_HOST
MemoryRemoteProtect PROCESS_UNCATEGORIZED
NamedPipeEvent PROCESS_UNCATEGORIZED
NtAllocateVirtualMemoryApiCall PROCESS_UNCATEGORIZED
NtAllocateVirtualMemoryRemoteApiCall PROCESS_UNCATEGORIZED
NtMapViewOfSectionRemoteApiCall PROCESS_UNCATEGORIZED
NtProtectVirtualMemoryApiCall PROCESS_UNCATEGORIZED
ProcessPrimaryTokenModified PROCESS_UNCATEGORIZED
PTraceDetected PROCESS_UNCATEGORIZED
ReadProcessMemoryApiCall PROCESS_UNCATEGORIZED
SetThreadContextRemoteApiCall PROCESS_UNCATEGORIZED
WriteProcessMemoryApiCall PROCESS_UNCATEGORIZED
WriteToLsassProcessMemory PROCESS_UNCATEGORIZED
AsrOfficeCommAppChildProcessBlocked SCAN_HOST
AppControlCIScriptAudited SCAN_HOST
AppControlCIScriptBlocked SCAN_HOST
AppControlCodeIntegrityImageAudited SCAN_HOST
AppControlCodeIntegrityImageRevoked SCAN_HOST
AppControlCodeIntegrityOriginAllowed SCAN_HOST
AppControlCodeIntegrityOriginAudited SCAN_HOST
AppControlCodeIntegrityOriginBlocked SCAN_HOST
AppControlScriptAudited SCAN_HOST
AppControlScriptBlocked SCAN_HOST
AsrExecutableEmailContentBlocked SCAN_HOST
SafeDocFileScan SCAN_FILE
AntivirusDefinitionsUpdated SCAN_HOST
AntivirusDefinitionsUpdateFailed SCAN_HOST
AntivirusDetection SCAN_HOST
AntivirusDetectionActionType SCAN_HOST
AntivirusEmergencyUpdatesInstalled SCAN_HOST
AntivirusError SCAN_HOST
AntivirusMalwareActionFailed SCAN_HOST
AntivirusMalwareBlocked SCAN_HOST
AntivirusReport SCAN_HOST
AntivirusScanCancelled SCAN_HOST
AntivirusScanCompleted SCAN_HOST
AntivirusScanFailed SCAN_HOST
AntivirusTroubleshootModeEvent SCAN_HOST
AppControlCodeIntegrityDriverRevoked SCAN_HOST
AppControlCodeIntegrityPolicyAudited SCAN_HOST
AppControlCodeIntegrityPolicyBlocked SCAN_HOST
AppControlCodeIntegrityPolicyLoaded SCAN_HOST
AppControlCodeIntegritySigningInformation SCAN_HOST
AppControlExecutableAudited SCAN_HOST
AppControlExecutableBlocked SCAN_HOST
AppControlPackagedAppAudited SCAN_HOST
AppControlPackagedAppBlocked SCAN_HOST
AccountCheckedForBlankPassword SCAN_UNCATEGORIZED
SmartScreenAppWarning SCAN_UNCATEGORIZED
SmartScreenExploitWarning SCAN_HOST
SmartScreenUrlWarning SCAN_UNCATEGORIZED
SmartScreenUserOverride SCAN_UNCATEGORIZED
ScheduledTaskCreated SCHEDULED_TASK_CREATION
ScheduledTaskDeleted SCHEDULED_TASK_DELETION
ScheduledTaskDisabled SCHEDULED_TASK_DISABLE
ScheduledTaskEnabled SCHEDULED_TASK_ENABLE
ScheduledTaskUpdated SCHEDULED_TASK_MODIFICATION
ServiceInstalled SERVICE_CREATION
DirectoryServiceObjectCreated SERVICE_MODIFICATION
DirectoryServiceObjectModified SERVICE_MODIFICATION
AuditPolicyModification SERVICE_MODIFICATION
CreateRemoteThreadApiCall PROCESS_UNCATEGORIZED
CredentialsBackup SERVICE_START
FirewallServiceStopped SERVICE_STOP
BitLockerAuditCompleted SERVICE_UNSPECIFIED
AppControlPolicyApplied SCAN_HOST
AppGuardResumeContainer SCAN_HOST
AppLockerBlockPackagedApp STATUS_UPDATE
AppLockerBlockPackagedAppInstallation STATUS_UPDATE
AppLockerBlockScript STATUS_UPDATE
AsrExecutableOfficeContentBlocked SCAN_HOST
AsrLsassCredentialTheftAudited SCAN_HOST
AsrLsassCredentialTheftBlocked SCAN_HOST
AsrOfficeMacroWin32ApiCallsAudited SCAN_HOST
AsrOfficeMacroWin32ApiCallsBlocked SCAN_HOST
AsrPersistenceThroughWmiAudited SCAN_HOST
AsrPersistenceThroughWmiBlocked SCAN_HOST
AsrRansomwareAudited SCAN_HOST
AsrRansomwareBlocked SCAN_HOST
AsrVulnerableSignedDriverAudited SCAN_HOST
AsrVulnerableSignedDriverBlocked SCAN_HOST
BluetoothPolicyTriggered STATUS_UPDATE
ClrUnbackedModuleLoaded PROCESS_MODULE_LOAD
ControlFlowGuardViolation STATUS_UPDATE
DeviceBootAttestationInfo STATUS_UPDATE
DriverLoad PROCESS_MODULE_LOAD
ExploitGuardEafViolationAudited SCAN_HOST
ExploitGuardEafViolationBlocked SCAN_HOST
ExploitGuardIafViolationAudited SCAN_HOST
ExploitGuardIafViolationBlocked SCAN_HOST
ExploitGuardNonMicrosoftSignedAudited SCAN_HOST
ExploitGuardNonMicrosoftSignedBlocked SCAN_HOST
ExploitGuardRopExploitAudited SCAN_HOST
ExploitGuardRopExploitBlocked SCAN_HOST
ExploitGuardWin32SystemCallAudited SCAN_HOST
ExploitGuardWin32SystemCallBlocked SCAN_HOST
GetAsyncKeyStateApiCall STATUS_UPDATE
OtherAlertRelatedActivity STATUS_UPDATE
PnpDeviceAllowed DEVICE_CONFIG_UPDATE
PnpDeviceBlocked STATUS_UPDATE
PnpDeviceConnected STATUS_UPDATE
PrintJobBlocked STATUS_UPDATE
RemovableStoragePolicyTriggered STATUS_UPDATE
SecurityLogCleared SYSTEM_AUDIT_LOG_WIPE
TvmAxonTelemetryEvent STATUS_UPDATE
UsbDriveMount DEVICE_CONFIG_UPDATE
UsbDriveMounted DEVICE_CONFIG_UPDATE
UsbDriveUnmount DEVICE_CONFIG_UPDATE
UsbDriveUnmounted DEVICE_CONFIG_UPDATE
WmiBindEventFilterToConsumer STATUS_UPDATE
TamperingAttempt SETTING_MODIFICATION
PasswordChangeAttempt USER_CHANGE_PASSWORD
LogonRightsSettingEnabled USER_CHANGE_PERMISSIONS
UserAccountCreated USER_CREATION
UserAccountDeleted USER_DELETION
LdapSearch STATUS_UPDATE
ControlledFolderAccessViolationAudited SCAN_FILE
ControlledFolderAccessViolationBlocked SCAN_FILE
ExploitGuardAcgAudited SCAN_HOST
ExploitGuardAcgEnforced SCAN_HOST
UserAccountModified USER_UNCATEGORIZED

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceEvents

The following table lists the log fields for the DeviceEvents log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
properties.ActionType metadata.event_type
properties.ReportId metadata.product_log_id
properties.LogonId network.session_id
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.InitiatingProcessAccountDomain principal.administrative_domain If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the target.administrative_domain UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the principal.administrative_domain UDM field.
properties.AccountDomain principal.administrative_domain If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.AccountDomain log field is mapped to the target.administrative_domain UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.AccountDomain log field is mapped to the principal.administrative_domain UDM field.
properties.DeviceName principal.hostname
properties.LocalIP principal.ip
properties.FileOriginIP principal.ip
properties.LocalPort principal.port
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessId principal.process.pid
properties.FileOriginUrl principal.url
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessAccountName principal.user.userid If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the target.user.userid UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the principal.user.userid UDM field.
properties.AccountName principal.user.userid If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountName log field value is empty, then the properties.AccountName log field is mapped to the target.user.userid UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountName log field value is empty, then the properties.AccountName log field is mapped to the principal.user.userid UDM field.
properties.InitiatingProcessAccountSid principal.user.windows_sid If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the target.user.windows_sid UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the principal.user.windows_sid UDM field.
properties.AccountSid principal.user.windows_sid If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountSid log field value is empty, then the properties.AccountSid log field is mapped to the target.user.windows_sid UDM field.
  • PasswordChangeAttempt
  • UserAccountCreated
  • UserAccountDeleted
Else, if the properties.InitiatingProcessAccountSid log field value is empty, then the properties.AccountSid log field is mapped to the principal.user.windows_sid UDM field.
properties.ActionType security_result.action If the properties.ActionType log field value matches the regular expression pattern (?i)Allow, then the security_result.action UDM field is set to ALLOW.

Else if the properties.ActionType log field value matches the regular expression pattern (?i)Block, then the security_result.action UDM field is set to BLOCK.

Else if the properties.ActionType log field value matches the regular expression pattern (?i)Fail, then the security_result.action UDM field is set to FAIL.
properties.FolderPath target.file.full_path If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value then, properties.FolderPath log field is mapped to the target.process.file.full_path UDM field. Else, %{properties.FolderPath}\%{properties.FileName} log field is mapped to the target.process.file.full_path UDM field.
Else, if the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value then, properties.FolderPath log field is mapped to the target.file.full_path UDM field. Else, %{properties.FolderPath}\%{properties.FileName} log field is mapped to the target.file.full_path UDM field.
properties.MD5 target.file.md5 If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.MD5 log field is mapped to the target.process.file.md5 UDM field.
Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.MD5 log field is mapped to the target.file.md5 UDM field.
properties.FileName target.file.names If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileName log field is mapped to the target.process.file.names UDM field.
Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileName log field is mapped to the target.file.names UDM field.
properties.SHA1 target.file.sha1 If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.SHA1 log field is mapped to the target.process.file.sha1 UDM field.
Else, if the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.file.sha256 If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ then, properties.SHA256 log field is mapped to the target.process.file.sha256 UDM field.
Else, if the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ then, properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.FileSize target.file.size If the properties.RemoteDeviceName log field value contain one of the following values
  • ProcessCreatedUsingWmiQuery
  • OpenProcessApiCall
  • MemoryRemoteProtect
  • NtAllocateVirtualMemoryApiCall
  • NtAllocateVirtualMemoryRemoteApiCall
  • NtMapViewOfSectionRemoteApiCall
  • NtProtectVirtualMemoryApiCall
  • ProcessPrimaryTokenModified
  • ReadProcessMemoryApiCall
  • SetThreadContextRemoteApiCall
  • WriteProcessMemoryApiCall
  • WriteToLsassProcessMemory
  • CreateRemoteThreadApiCall
  • AsrOfficeProcessInjectionAudited
  • AsrAdobeReaderChildProcessAudited
  • AsrAdobeReaderChildProcessBlocked
  • AsrOfficeChildProcessAudited
  • AsrOfficeCommAppChildProcessAudited
  • AsrPsexecWmiChildProcessAudited
  • AsrUntrustedUsbProcessAudited
  • ExploitGuardChildProcessAudited
  • AsrOfficeChildProcessBlocked
  • AsrOfficeProcessInjectionBlocked
  • AsrPsexecWmiChildProcessBlocked
  • AsrUntrustedUsbProcessBlocked
  • ExploitGuardChildProcessBlocked
  • AsrOfficeCommAppChildProcessBlocked
and if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileSize log field is mapped to the target.process.file.size UDM field.
Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileSize log field is mapped to the target.file.size UDM field.
properties.RemoteDeviceName target.hostname
properties.RemoteIP target.ip
properties.RemotePort target.port
properties.ProcessCommandLine target.process.command_line
properties.ProcessId target.process.pid
properties.ProcessTokenElevation target.process.token_elevation_type If the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the target.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the target.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the target.process.token_elevation_type UDM field is set to TYPE_3.
properties.RegistryKey target.registry.registry_key
properties.RegistryValueData target.registry.registry_value_data
properties.RegistryValueName target.registry.registry_value_name
properties.RemoteUrl target.url
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessLogonId additional.fields[initiating_process_logon_id]
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.ProcessCreationTime additional.fields[process_creation_time]
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[process_version_info_product_version]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - AlertEvidence

The following table lists the log fields for the AlertEvidence log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Application additional.fields[application]
metadata.event_type The metadata.event_type UDM field is set to SCAN_HOST.
properties.DeviceId principal.asset_id If the properties.DeviceId log field value is not empty, then the DeviceID:properties.DeviceId log field is mapped to the principal.asset_id UDM field.
properties.DeviceName principal.hostname If the properties.DeviceName log field value is not empty then, properties.DeviceName log field is mapped to the principal.hostname UDM field.
Else, if the properties.AdditionalFields.HostName log field value is not empty then, properties.AdditionalFields.HostName log field is mapped to the principal.hostname UDM field.
Else, if the properties.AdditionalFields.Host.HostName log field value is not empty then, properties.AdditionalFields.Host.HostName log field is mapped to the principal.hostname UDM field.
Else, if the properties.AdditionalFields.ImageFile.Host.HostName log field value is not empty then, AdditionalFields.ImageFile.Host.HostName log field is mapped to the principal.hostname UDM field.
properties.LocalIP principal.asset.ip If the properties.LocalIP log field value is not empty, then the properties.LocalIP log field is mapped to the principal.asset.ip UDM field.
properties.FolderPath target.file.full_path If the properties.FileName log field value matches the regular expression pattern the properties.FolderPath, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.

Else, the properties.FolderPath/properties.FileName log field is mapped to the target.file.full_path UDM field.
properties.FileName target.file.names
properties.SHA1 target.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^the 0-9a-f log field value+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^the a-f0-9, then 64$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.FileSize target.file.size
properties.AccountDomain principal.administrative_domain
properties.RemoteIP target.ip
properties.AdditionalFields addional.fields[additionalfields]
properties.ProcessCommandLine target.process.command_line
properties.RegistryKey target.registry.registry_key
properties.RegistryValueData target.registry.registry_value_data
properties.RegistryValueName target.registry.registry_value_name
properties.CloudPlatform principal.resource.attribute.cloud.environment If the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Amazon Web Services/, then the principal.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES.

Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Google Cloud Platform/, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.

Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Azure/, then the principal.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE.

Else, the principal.resource.attribute.cloud.environment UDM field is set to UNSPECIFIED_CLOUD_ENVIRONMENT.
properties.SubscriptionId principal.resource.attribute.labels[subscription_id]
properties.CloudResource principal.resource.name
properties.ResourceID principal.resource.product_object_id
principal.resource.resource_type The principal.resource.resource_type UDM field is set to CLOUD_PROJECT.
properties.Categories security_result.category_details
properties.Severity security_result.severity
properties.Title security_result.summary
properties.Title security_result.threat_name
properties.Title security_result.rule_name
properties.ThreatFamily security_result.detection_fields[threat_family]
properties.RemoteUrl target.url
properties.EvidenceDirection principal.user.attribute.labels[evidence_direction]
properties.EvidenceRole principal.user.attribute.labels[evidence_role]
properties.AccountObjectId additional.fields[account_object_id]
properties.AccountUpn principal.user.user_display_name
properties.AccountName principal.user.userid
properties.AccountSid principal.user.windows_sid
properties.Timestamp metadata.event_timestamp
properties.EntityType principal.resource.resource_subtype
properties.AlertId metadata.product_log_id
properties.DetectionSource security_result.about.resource.attribute.labels[detection_source]
properties.ServiceSource security_result.about.resource.attribute.labels[service_source]
properties.AttackTechniques security_result.attack_details.techniques.name
properties.ApplicationId additional.fields[application_id]
properties.EmailSubject network.email.subject
properties.NetworkMessageId network.email.mail_id
properties.OAuthApplicationId additional.fields[oauth_application_id]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - AlertInfo

The following table lists the log fields for the AlertInfo log type and their corresponding UDM fields.

Log field UDM mapping Logic
is_alert The is_alert UDM field is set to true.
is_significant The is_significant UDM field is set to true.
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.AlertId metadata.product_log_id
properties.AttackTechniques security_result.attack_details.techniques.name
properties.DetectionSource security_result.detection_fields[detection_source]
properties.ServiceSource security_result.detection_fields[service_source]
properties.Severity security_result.severity If the properties.Severity log field value matches the regular expression pattern (?i)(informational), then the security_result.severity UDM field is set to INFORMATIONAL.

Else, if the properties.Severity log field value matches the regular expression pattern (?i)(low), then the security_result.severity UDM field is set to LOW.

Else, if the properties.Severity log field value matches the regular expression pattern (?i)(medium), then the security_result.severity UDM field is set to MEDIUM.

Else, if the properties.Severity log field value matches the regular expression pattern (?i)(high), then the security_result.severity UDM field is set to HIGH.
properties.Category security_result.category_details
properties.Title security_result.threat_name
properties.Title security_result.rule_name

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceAlertEvents

The following table lists the log fields for the DeviceAlertEvents log type and their corresponding UDM fields.

Log field UDM mapping Logic
is_alert The is_alert UDM field is set to true.
is_significant The is_significant UDM field is set to true.
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to SCAN_HOST.
properties.ReportId security_result.detection_fields[report_id]
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.MachineGroup principal.group.group_display_name
properties.DeviceName principal.hostname
properties.AttackTechniques security_result.attack_details.techniques.name
properties.Category security_result.category_details
properties.AlertId metadata.product_log_id
properties.MitreTechniques security_result.detection_fields[mitre_techniques]
properties.Severity security_result.severity If the properties.Severity log field value is equal to High, then the security_result.severity UDM field is set to HIGH.

Else, if the properties.Severity log field value is equal to Medium, then the security_result.severity UDM field is set to MEDIUM.

Else, if the properties.Severity log field value is equal to Low, then the security_result.severity UDM field is set to LOW.

Else, if the properties.Severity log field value is equal to Informational, then the security_result.severity UDM field is set to INFORMATIONAL.
properties.Title security_result.threat_name
properties.Title security_result.rule_name
properties.RemoteIp target.ip
properties.FileName target.file.names
properties.SHA1 target.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.RemoteUrl target.url
properties.Table additional.fields[table]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileCertificateInfo

The following table lists the log fields for the DeviceFileCertificateInfo log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
properties.ReportId metadata.product_log_id
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.SHA1 principal.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.Issuer principal.file.signature_info.sigcheck.signers.cert_issuer
properties.Signer principal.file.signature_info.sigcheck.signers.name
properties.IsSigned principal.file.signature_info.sigcheck.verified If the properties.IsSigned log field value is equal to true, then the principal.file.signature_info.sigcheck.verified UDM field is set to TRUE.

Else, the principal.file.signature_info.sigcheck.verified UDM field is set to FALSE.
properties.DeviceName principal.hostname
properties.CertificateCountersignatureTime additional.fields[certificate_countersignature_time]
properties.CertificateSerialNumber additional.fields[certificate_serial_number]
properties.CertificateCreationTime additional.fields[certification_creation_time]
properties.CertificateExpirationTime additional.fields[certification_expiration_time]
properties.CrlDistributionPointUrls additional.fields[crl_distribution_point_urls]
properties.IsRootSignerMicrosoft additional.fields[is_root_signer_microsoft]
properties.IsTrusted additional.fields[is_trusted]
properties.IssuerHash additional.fields[issuer_hash]
properties.SignatureType additional.fields[signature_type]
properties.SignerHash additional.fields[signer_hash]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceImageLoadEvents

The following table lists the log fields for the DeviceImageLoadEvents log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to PROCESS_MODULE_LOAD.
properties.ReportId metadata.product_log_id
properties.InitiatingProcessAccountDomain principal.administrative_domain
principal.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{principal.DeviceId}.
properties.DeviceName principal.hostname
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.FolderPath target.process.file.full_path If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName, then the properties.FolderPath log field is mapped to the target.process.file.full_path UDM field.

Else, the target.process.file.full_pathis set to %{properties.FolderPath}/%{properties.FileName}.
properties.MD5 target.process.file.md5 If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.process.file.md5 UDM field.
properties.FileName target.process.file.names
properties.SHA1 target.process.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.process.file.sha1 UDM field.
properties.SHA256 target.process.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.process.file.sha256 UDM field.
properties.FileSize target.process.file.size
properties.FolderPath target.file.full_path If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.

Else, the target.file.full_pathis set to %{properties.FolderPath}/%{properties.FileName}.
properties.MD5 target.file.md5 If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.process.file.md5 UDM field.
properties.FileName target.file.names
properties.SHA1 target.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.FileSize target.file.size
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileEvents

The following table lists the log fields for the DeviceFileEvents log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
properties.ActionType metadata.event_type If the properties.ActionType log field value is equal to FileCreated, then the metadata.event_type UDM field is set to FILE_CREATION.

Else, if the properties.ActionType log field value is equal to FileDeleted, then the metadata.event_type UDM field is set to FILE_DELETION.

Else, if the properties.ActionType log field value is equal to FileModified, then the metadata.event_type UDM field is set to FILE_MODIFICATION.

Else, if the properties.ActionType log field value is equal to FileRenamed, then the metadata.event_type UDM field is set to FILE_MOVE.
properties.ReportId metadata.product_log_id
properties.RequestProtocol network.application_protocol If the properties.RequestProtocol log field value is equal to SMB, then the network.application_protocol UDM field is set to SMB.

Else, if the properties.RequestProtocol log field value is equal to NFS, then the network.application_protocol UDM field is set to NFS.

Else, if the properties.RequestProtocol log field value is equal to Local, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL.
properties.FileOriginReferrerUrl network.http.referral_url
properties.InitiatingProcessAccountDomain principal.administrative_domain If the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the principal.administrative_domain UDM field.
properties.RequestAccountDomain principal.administrative_domain If the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.RequestAccountDomain log field is mapped to the principal.administrative_domain UDM field.
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.FileOriginIP principal.ip
properties.RequestSourceIP principal.ip
properties.RequestSourcePort principal.port
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.FileOriginUrl principal.url
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessAccountName principal.user.userid If the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the principal.user.userid UDM field.
properties.RequestAccountName principal.user.userid If the properties.InitiatingProcessAccountName log field value is empty, then the properties.RequestAccountName log field is mapped to the principal.user.userid UDM field.
properties.InitiatingProcessAccountSid principal.user.windows_sid If the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the principal.user.windows_sid UDM field.
properties.RequestAccountSid principal.user.windows_sid If the properties.InitiatingProcessAccountSid log field value is empty, then the properties.RequestAccountSid log field is mapped to the principal.user.windows_sid UDM field.
properties.PreviousFolderPath src.file.full_path If the properties.PreviousFolderPath log field value matches the regular expression pattern the properties.PreviousFileName log field value, then the properties.PreviousFolderPath log field is mapped to the src.file.full_path UDM field.

Else, src.file.full_path set to the %{properties.PreviousFolderPath}/%{properties.PreviousFileName}.
properties.PreviousFileName src.file.names
properties.FolderPath target.file.full_path If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.

Else, the target.file.full_path set to %{properties.FolderPath}/%{properties.FileName}.
properties.MD5 target.file.md5 If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.file.md5 UDM field.
properties.FileName target.file.names
properties.SHA1 target.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.FileSize target.file.size
properties.SensitivityLabel target.file.tags
properties.SensitivitySubLabel target.file.tags
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.IsAzureInfoProtectionApplied additional.fields[is_azure_info_protection_applied]
properties.ShareName additional.fields[share_name]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceInfo

The following table lists the log fields for the DeviceInfo log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.DeviceId entity.asset_id The entity.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceId entity.asset.asset_id The entity.asset.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.AadDeviceId entity.asset.attribute.labels[aad_device_id]
properties.AdditionalFields entity.asset.attribute.labels[additional_fields]
properties.ConnectivityType entity.asset.attribute.labels[connectivity_type]
properties.DeviceDynamicTags entity.asset.attribute.labels[device_dynamic_tags]
properties.DeviceManualTags entity.asset.attribute.labels[device_manual_tags]
properties.DeviceSubtype entity.asset.attribute.labels[device_subtype]
properties.HostDeviceId entity.asset.attribute.labels[host_device_id]
properties.IsAzureADJoined entity.asset.attribute.labels[is_azure_ad_joined]
properties.IsInternetFacing entity.asset.attribute.labels[is_internet_facing]
properties.JoinType entity.asset.attribute.labels[join_type]
properties.MergedDeviceIds entity.asset.attribute.labels[merged_device_ids]
properties.MergedToDeviceId entity.asset.attribute.labels[merged_to_device_id]
properties.OnboardingStatus entity.asset.attribute.labels[onboarding_status]
properties.OSArchitecture entity.asset.attribute.labels[os_architecture]
properties.OSDistribution entity.asset.attribute.labels[os_distribution]
properties.OSVersionInfo entity.asset.attribute.labels[os_version_info]
properties.RegistryDeviceTag entity.asset.attribute.labels[registry_divice_tag]
properties.ReportId entity.asset.attribute.labels[report_id]
properties.SensorHealthState entity.asset.attribute.labels[sensor_health_state]
properties.DeviceCategory entity.asset.category
properties.Vendor entity.asset.hardware.manufacturer
properties.Model entity.asset.hardware.model
properties.DeviceName entity.asset.hostname
properties.PublicIP entity.asset.nat_ip
properties.OSBuild entity.asset.platform_software.plateform_patch_level
properties.OSPlatform entity.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the entity.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the entity.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the entity.asset.platform_software.platform UDM field is set to LINUX.
properties.OSVersion entity.asset.platform_software.platform_version
properties.ClientVersion entity.asset.software.version
properties.DeviceType entity.asset.type If the properties.DeviceType log field value is equal to NetworkDevice, then the entity.asset.type UDM field is set to NETWORK_ATTACHED_STORAGE.

Else, if the properties.DeviceType log field value is equal to Workstation, then the entity.asset.type UDM field is set to WORKSTATION.

Else, if the properties.DeviceType log field value is equal to Server, then the entity.asset.type UDM field is set to SERVER.

Else, if the properties.DeviceType log field value is equal to Mobile, then the entity.asset.type UDM field is set to MOBILE.

Else if the properties.DeviceType log field value is equal to Printer, then the entity.asset.type UDM field is set to PRINTER.
properties.DeviceType entity.asset.attribute.labels if the properties.DeviceType log field value is equal to GamingConsole, then the properties.DeviceType log field is mapped to the entity.asset.attribute.labels UDM field.
properties.MachineGroup entity.group.group_display_name
properties.ExclusionReason entity.security_result.detection_fields[exclusion_reason]
properties.ExposureLevel entity.security_result.detection_fields[exposure_level]
properties.IsExcluded entity.security_result.detection_fields[is_excluded]
properties.AssetValue entity.security_result.priority If the properties.AssetValue log field value is equal to High, then the entity.security_result.priority UDM field is set to HIGH_PRIORITY.

Else, if the properties.AssetValue log field value is equal to Medium, then the entity.security_result.priority UDM field is set to MEDIUM_PRIORITY.

Else, if the properties.AssetValue log field value is equal to Low, then the entity.security_result.priority UDM field is set to LOW_PRIORITY.

Else, the properties.AssetValue log field is mapped to the entity.security_result.detection_fields.asset_value UDM field.
properties.Timestamp metadata.creation_timestamp
metadata.entity_type The metadata.entity_type UDM field is set to ASSET.
properties.DeviceId metadata.product_entity_id The metadata.product_entity_id is set to DeviceID:%{properties.DeviceId}.
relations.direction The relations.direction UDM field is set to UNIDIRECTIONAL.
relations.entity_type The relations.entity_type UDM field is set to USER.
relations.relationship The relations.relationship UDM field is set to MEMBER.
properties.LoggedOnUsers.DomainName relations.entity.domain.name
properties.LoggedOnUsers.UserName relations.entity.user.userid
properties.LoggedOnUsers.Sid relations.entity.user.windows_sid
properties.LoggedOnUsers

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceLogonEvents

The following table lists the log fields for the DeviceLogonEvents log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.LogonType extensions.auth.mechanism If the properties.LogonType log field value is equal to Interactive, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the properties.LogonType log field value is equal to Network, then the extensions.auth.mechanism UDM field is set to NETWORK.

Else, if the properties.LogonType log field value is equal to Batch, then the extensions.auth.mechanism UDM field is set to BATCH.

Else, if the properties.LogonType log field value is equal to Service, then the extensions.auth.mechanism UDM field is set to SERVICE.

Else, if the properties.LogonType log field value is equal to RemoteInteractive, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
properties.ReportId metadata.product_log_id
properties.Protocol network.ip_protocol If the properties.Protocol log field value is equal to Tcp, then the network.ip_protocol UDM field is set to TCP.

If the properties.Protocol log field value is equal to Udp, then the network.ip_protocol UDM field is set to UDP.

If the properties.Protocol log field value is equal to Icmp, then the network.ip_protocol UDM field is set to ICMP.
properties.LogonId network.session_id
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.FailureReason security_result.description
properties.AccountDomain target.administrative_domain
properties.RemoteDeviceName target.hostname
properties.RemoteIP target.ip
properties.RemotePort target.port
properties.IsLocalAdmin target.resource.attribute.labels[is_local_admin]
properties.AccountName target.user.userid
properties.AccountSid target.user.windows_sid
properties.RemoteIPType additional.fields[remote_ip_type]
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkEvents

The following table lists the log fields for the DeviceNetworkEvents log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
properties.ReportId metadata.product_log_id
properties.Protocol network.ip_protocol If the properties.Protocol log field value is equal to Tcp, then the network.ip_protocol UDM field is set to TCP.

Else, if the properties.Protocol log field value is equal to Udp, then the network.ip_protocol UDM field is set to UDP.

Else, if the properties.Protocol log field value is equal to Icmp, then the network.ip_protocol UDM field is set to ICMP.
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.LocalIP principal.ip
properties.LocalPort principal.port
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.RemoteIP target.ip
properties.RemotePort target.port
properties.RemoteUrl target.url
properties.LocalIPType additional_fields[LocalIPType]
properties.RemoteIPType additional_fields[RemoteIPType]
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkInfo

The following table lists the log fields for the DeviceNetworkInfo log type and their corresponding UDM fields.

Log field UDM mapping Logic
DeviceNetworkInfo
properties.DeviceId entity.asset_id The entity.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceId entity.asset.asset_id The entity.asset.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.ReportId entity.asset.attribute.labels[report_id]
properties.ConnectedNetworks entity.asset.attribute.labels[connected_networks]
properties.MacAddress entity.asset.mac
properties.NetworkAdapterName entity.asset.attribute.labels[network_adapter_name]
properties.NetworkAdapterStatus entity.asset.attribute.labels[network_adapter_status]
properties.NetworkAdapterType entity.asset.attribute.labels[network_adapter_type]
properties.NetworkAdapterVendor entity.asset.attribute.labels[network_adapter_vendor]
properties.TunnelType entity.asset.attribute.labels[tunnel_type]
properties.DefaultGateways entity.asset.attribute.labels[default_gateways]
properties.DeviceName entity.asset.hostname
properties.IPAddresses entity.asset.ip
entity.asset.type The entity.asset.type UDM field is set to WORKSTATION.
properties.DnsAddresses entity.domain.last_dns_records.type The entity.domain.last_dns_records.type UDM field is set to ip_address.
properties.DnsAddresses entity.domain.last_dns_records.value The properties.DnsAddresses log field is mapped to the entity.domain.last_dns_records.value UDM field.
properties.IPv4Dhcp entity.network.dhcp.ciaddr If the properties.IPv4Dhcp log field value is not empty, then the properties.IPv4Dhcp log field is mapped to the entity.network.dhcp.ciaddr UDM field.

Else, the properties.IPv6Dhcp log field is mapped to the entity.network.dhcp.ciaddr UDM field.
properties.Timestamp metadata.creation_time
metadata.entity_type The metadata.entity_type UDM field is set to ASSET.
properties.DeviceId metadata.product_entity_id The metadata.product_entity_id is set to DeviceID:%{properties.DeviceId}.

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceProcessEvents

The following table lists the log fields for the DeviceProcessEvents log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
properties.ActionType metadata.event_type If the properties.ActionType log field value matches the regular expression pattern (?i)ProcessCreated, then the metadata.event_type UDM field is set to PROCESS_LAUNCH.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)OpenProcess, then the metadata.event_type UDM field is set to PROCESS_OPEN.
properties.ReportId metadata.product_log_id
properties.LogonId network.session_id
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessSignatureStatus principal.process.file.signature_info.sigcheck.signers.status
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3
properties.InitiatingProcessAccountObjectId principal.user.product_object_id
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.AccountDomain target.administrative_domain
properties.FolderPath target.file.full_path If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.

Else, the target.file.full_path set to %{properties.FolderPath}/%{properties.FileName}.
properties.MD5 target.process.file.md5 If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.file.md5 UDM field.
properties.FileName target.process.file.names
properties.SHA1 target.process.file.sha1 If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field.
properties.SHA256 target.process.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.FileSize target.process.file.size
properties.ProcessCommandLine target.process.command_line
properties.ProcessId target.process.pid
properties.ProcessTokenElevation target.process.token_elevation_type If the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the target.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the target.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the target.process.token_elevation_type UDM field is set to TYPE_3.
properties.ProcessIntegrityLevel target.resource.attribute.labels[process_integrity_level]
properties.AccountUpn target.user.user_display_name
properties.AccountName target.user.userid
properties.AccountSid target.user.windows_sid
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.AccountObjectId additional.fields[account_object_id]
properties.AdditionalFields additional.fields[additional_fields]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessLogonId additional.fields[initiating_process_logon_id]
properties.InitiatingProcessSignerType additional.fields[initiating_process_signer_type]
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.ProcessCreationTime additional.fields[process_creation_time]
properties.ProcessVersionInfoCompanyName target.process.file.exif_info.company
properties.ProcessVersionInfoFileDescription target.process.file.exif_info.file_description
properties.ProcessVersionInfoInternalFileName additional.fields[process_version_info_internal_file_name]
properties.ProcessVersionInfoOriginalFileName target.process.file.exif_info.original_file
properties.ProcessVersionInfoProductName target.process.file.exif_info.product
properties.ProcessVersionInfoProductVersion additional.fields[process_version_info_product_version]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGathering

The following table lists the log fields for the DeviceTvmInfoGathering log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to SCAN_HOST.
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.OSPlatform principal.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the principal.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
properties.OSPlatform principal.asset.platform_software.platform_version
properties.DeviceName principal.hostname
properties.LastSeenTime security.result.last_discovered_time
properties.AdditionalFields additional.fields[additional_fields]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceRegistryEvents

The following table lists the log fields for the DeviceRegistryEvents log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
properties.ActionType metadata.event_type If the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyCreated, then the metadata.event_type UDM field is set to REGISTRY_CREATION.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyDeleted, then the metadata.event_type UDM field is set to REGISTRY_DELETION.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyRenamed, then the metadata.event_type UDM field is set to REGISTRY_MODIFICATION.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryValueDeleted, then the metadata.event_type UDM field is set to REGISTRY_DELETION.

Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryValueSet, then the metadata.event_type UDM field is set to REGISTRY_MODIFICATION.

Else, the metadata.event_type UDM field is set to REGISTRY_UNCATEGORIZED.
properties.ReportId metadata.product_log_id
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DeviceName principal.hostname
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessFolderPath principal.process.file.full_path If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}.
properties.InitiatingProcessMD5 principal.process.file.md5 If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.
properties.InitiatingProcessFileName principal.process.file.names
properties.InitiatingProcessSHA1 principal.process.file.sha1 If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.
properties.InitiatingProcessSHA256 principal.process.file.sha256 If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessParentFileName principal.process.parent_process.file.names
properties.InitiatingProcessParentId principal.process.parent_process.pid
properties.InitiatingProcessId principal.process.pid
properties.PreviousRegistryValueData principal.registry.registry_value_data
properties.PreviousRegistryKey principal.registry.registry_key
properties.PreviousRegistryValueName principal.registry.registry_value_name
properties.InitiatingProcessAccountObjectId principal.user.attribute.labels[initiating_process_account_object_id]
properties.InitiatingProcessAccountUpn principal.user.attribute.labels[initiating_process_account_upn]
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.InitiatingProcessTokenElevation principal.process.token_elevation_type If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.

Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3.
properties.RegistryValueData target.registry.registry_value_data
properties.RegistryKey target.registry.registry_key
properties.RegistryValueName target.registry.registry_value_name
properties.InitiatingProcessCreationTime additional.fields[initiating_process_creation_time]
properties.InitiatingProcessIntegrityLevel additional.fields[initiating_process_integrity_level]
properties.InitiatingProcessParentCreationTime additional.fields[initiating_process_parent_creation_time]
properties.AppGuardContainerId additional.fields[app_guard_container_id]
properties.InitiatingProcessVersionInfoCompanyName principal.process.file.exif_info.company
properties.InitiatingProcessVersionInfoFileDescription principal.process.file.exif_info.file_description
properties.InitiatingProcessVersionInfoInternalFileName additional.fields[initiating_process_version_info_internal_file_name]
properties.InitiatingProcessVersionInfoOriginalFileName principal.process.file.exif_info.original_file
properties.InitiatingProcessVersionInfoProductName principal.process.file.exif_info.product
properties.InitiatingProcessVersionInfoProductVersion additional.fields[initiating_process_version_info_product_version]
properties.RegistryValueType additional.fields[registry_value_type]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGatheringKB

The following table lists the log fields for the DeviceTvmInfoGatheringKB log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Description metadata.description
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.IgId metadata.product_log_id
properties.Categories principal.resource.attribute.labels[categories]
properties.DataStructure principal.resource.attribute.labels[data_structure]
properties.FieldName principal.resource.name

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessment

The following table lists the log fields for the DeviceTvmSecureConfigurationAssessment log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to SCAN_UNCATEGORIZED.
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.OSPlatform principal.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the prinipal.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
properties.DeviceName principal.hostname
properties.ConfigurationCategory principal.resource.attribute.labels[configuration_category]
properties.ConfigurationImpact principal.resource.attribute.labels[configuration_impact]
properties.Context principal.resource.attribute.labels[contex]
properties.IsApplicable principal.resource.attribute.labels[is_applicable]
properties.IsCompliant principal.resource.attribute.labels[is_compliant]
properties.IsExpectedUserImpact principal.resource.attribute.labels[is_expected_user_impact]
properties.ConfigurationId principal.resource.product_object_id
properties.ConfigurationSubcategory principal.resource.resource_subtype
principal.resource.resource_type The principal.resource.resource_type UDM field is set to ACCESS_POLICY.

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessmentKB

The following table lists the log fields for the DeviceTvmSecureConfigurationAssessmentKB log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.ConfigurationBenchmarks principal.resource.attribute.labels[configuration_benchmarks]
properties.ConfigurationCategory principal.resource.attribute.labels[configuration_category]
properties.ConfigurationDescription principal.resource.attribute.labels[configuration_description]
properties.ConfigurationImpact principal.resource.attribute.labels[configuration_impact]
properties.RemediationOptions principal.resource.attribute.labels[remediation_options]
properties.RiskDescription principal.resource.attribute.labels[risk_description]
properties.Tags principal.resource.attribute.labels[tags]
properties.ConfigurationName principal.resource.name
properties.ConfigurationId principal.resource.product_object_id
properties.ConfigurationSubcategory principal.resource.resource_subtype
principal.resource.resource_type The principal.resource.resource_type UDM field is set to ACCESS_POLICY.

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareEvidenceBeta

The following table lists the log fields for the DeviceTvmSoftwareEvidenceBeta log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.DiskPaths principal.asset.attribute.labels[disk_paths] The properties.DiskPaths log field is mapped to the principal.asset.attribute.labels.disk_paths UDM field.
properties.RegistryPaths principal.asset.attribute.labels[registry_paths] The properties.RegistryPaths log field is mapped to the principal.asset.attribute.labels.registry_paths UDM field.
properties.LastSeenTime principal.asset.last_discover_time
properties.SoftwareName principal.asset.software.name
properties.SoftwareVendor principal.asset.software.vendor_name
properties.SoftwareVersion principal.asset.software.version

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareInventory

The following table lists the log fields for the DeviceTvmSoftwareInventory log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.EndOfSupportDate principal.asset.attribute.labels[end_of_support_date]
properties.EndOfSupportStatus principal.asset.attribute.labels[end_of_support_status]
properties.OSArchitecture principal.asset.attribute.labels[os_architecture]
properties.ProductCodeCpe principal.asset.attribute.labels[product_code_cpe]
properties.OSPlatform principal.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the prinipal.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
properties.OSVersion principal.asset.platform_software.platform_version
properties.SoftwareName principal.asset.software.name
properties.SoftwareVendor principal.asset.software.vendor_name
properties.SoftwareVersion principal.asset.software.version
properties.DeviceName principal.hostname

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilities

The following table lists the log fields for the DeviceTvmSoftwareVulnerabilities log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.CveId extensions.vulns.vulnerabilities.cve_id
properties.VulnerabilityLevel extensions.vulns.vulnerabilities.severity If the properties.VulnerabilityLevel log field value is equal to High, then the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH.

Else, if the properties.VulnerabilityLevel log field value is equal to Medium, then the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM.

Else, if the properties.VulnerabilityLevel log field value is equal to Low, then the extensions.vulns.vulnerabilities.severity UDM field is set to LOW.

Else, if the properties.VulnerabilityLevel log field value is equal to Informational, then the extensions.vulns.vulnerabilities.severity UDM field is set to INFORMATIONAL.
properties.SeverityLevel extensions.vulns.vulnerablitities.severity_details
metadata.event_type The metadata.event_type UDM field is set to SCAN_VULN_HOST.
properties.DeviceId principal.asset_id The principal.asset_id is set to DeviceID:%{properties.DeviceId}.
properties.OSPlatform principal.asset.platform_software.platform If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the principal.asset.platform_software.platform UDM field is set to MAC.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.

Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX.
properties.OSVersion principal.asset.platform_software.platform_version
properties.SoftwareName principal.asset.software.name
properties.SoftwareVendor principal.asset.software.vendor_name
properties.SoftwareVersion principal.asset.software.version
properties.DeviceName principal.hostname
properties.RecommendedSecurityUpdateId security_result.detection_fields[recommended_security_update_id]
properties.RecommendedSecurityUpdate security_result.detection_fields[recommended_security_update]
properties.CveTags additional.fields[cve_tags]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilitiesKB

The following table lists the log fields for the DeviceTvmSoftwareVulnerabilitiesKB log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
properties.CveId extensions.vulns.vulnerabilities.cve_id
properties.CvssScore extensions.vulns.vulnerablities.cvss_base_score
properties.IsExploitAvailable extensions.vulns.vulnerablities.cvss_vector
properties.VulnerabilitySeverityLevel extensions.vulns.vulnerabilities.severity If the properties.VulnerabilitySeverityLevel log field value is equal to High, then the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH.

Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Medium, then the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM.

Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Low, then the extensions.vulns.vulnerabilities.severity UDM field is set to LOW.

Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Informational, then the extensions.vulns.vulnerabilities.severity UDM field is set to INFORMATIONAL.

Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY.
properties.VulnerabilitySeverityLevel extensions.vulns.vulnerablitities.severity_details
properties.LastModifiedTime extensions.vulns.vulnerabilities.scan_end_time
properties.PublishedDate extensions.vulns.vulnerabilities.first_found
properties.VulnerabilityDescription extensions.vulns.vulnerabilities.cve_description
properties.AffectedSoftware extensions.vulns.vulnerabilities.description

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailAttachmentInfo

The following table lists the log fields for the EmailAttachmentInfo log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.FileType target.file.mime_type
properties.FileName target.file.names
properties.SHA256 target.file.sha256 If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field.
properties.FileSize target.file.size
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to EMAIL_TRANSACTION.
properties.ReportId metadata.product_log_id
properties.SenderFromAddress network.email.from If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the network.email.from UDM field.
properties.NetworkMessageId network.email.mail_id
properties.RecipientEmailAddress network.email.to If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the network.email.to UDM field.
properties.SenderFromAddress principal.user.email_addresses If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the principal.user.email_addresses UDM field.
properties.SenderObjectId principal.user.product_object_id
properties.SenderDisplayName principal.user.user_display_name
properties.ThreatTypes security_result.category If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING.
properties.DetectionMethods security_result.detection_fields[detection_methods]
properties.ThreatNames security_result.threat_name
properties.RecipientEmailAddress target.user.email_addresses If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field.
properties.RecipientObjectId target.user.product_object_id

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailEvents

The following table lists the log fields for the EmailEvents log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to EMAIL_TRANSACTION.
properties.ReportId metadata.product_log_id
properties.EmailDirection network.direction If the properties.EmailDirection log field value is equal to Inbound, then the network.direction UDM field is set to INBOUND.

Else, if the properties.EmailDirection log field value is equal to Outbound, then the network.direction UDM field is set to OUTBOUND.

Else, the network.direction UDM field is set to UNKNOWN_DIRECTION.
properties.NetworkMessageId network.email.mail_id
properties.Subject network.email.subject
properties.RecipientEmailAddress network.email.to
properties.SenderFromDomain principal.administrative_domain
properties.SenderIPv4 principal.ip
properties.SenderIPv6 principal.ip
properties.SenderMailFromAddress principal.user.attribute.labels[sender_mail_from_address]
properties.SenderFromAddress principal.user.email_addresses If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the principal.user.email_addresses UDM field.
properties.SenderMailFromDomain principal.user.attribute.labels[sender_mail_from_domain]
properties.SenderObjectId principal.user.product_object_id
properties.SenderDisplayName principal.user.user_display_name
properties.ThreatTypes security_result.category If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING.
properties.ThreatTypes security_result.category_details
properties.ConfidenceLevel security_result.confidence_details
properties.EmailAction security_result.description
properties.AuthenticationDetails security_result.detection_fields[authentication_details]
properties.BulkComplaintLevel security_result.detection_fields[bulk_complaint_level]
properties.DetectionMethods security_result.detection_fields[detection_methods]
properties.EmailActionPolicyGuid security_result.rule_id
properties.EmailActionPolicy security_result.rule_name
properties.ThreatNames security_result.threat_name
properties.OrgLevelAction security_result.rule_labels[org_level_action]
properties.OrgLevelPolicy security_result.rule_labels[org_level_policy]
properties.UserLevelAction security_result.rule_labels[user_level_action]
properties.UserLevelPolicy security_result.rule_labels[user_level_policy]
properties.RecipientEmailAddress target.user.email_addresses If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field.
properties.RecipientObjectId target.user.product_object_id
properties.AdditionalFields additional.fields[additional_fields]
properties.DeliveryAction additional.fields[delivery_action]
properties.DeliveryLocation additional.fields[delivery_location] The properties.DeliveryLocation log field is mapped to the additional.fields.delivery_location UDM field.
properties.EmailClusterId additional.fields[email_cluster_id]
properties.EmailLanguage additional.fields[email_language]
properties.InternetMessageId additional.fields[internet_message_id]
properties.LatestDeliveryLocation additional.fields[last_delivery_location]
properties.UrlCount additional.fields[connectors]
properties.Connectors additional.fields[attachment_count]
properties.AttachmentCount additional.fields[latest_delivery_action]
properties.LatestDeliveryAction additional.fields[latest_delivery_action]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailPostDeliveryEvents

The following table lists the log fields for the EmailPostDeliveryEvents log type and their corresponding UDM fields.
Log field UDM mapping Logic
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to EMAIL_UNCATEGORIZED.
properties.ReportId security_result.detection_fields[report_id]
properties.NetworkMessageId network.email.mail_id
properties.ActionResult security_result.summary
properties.ThreatTypes security_result.category If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING.
properties.ThreatTypes security_result.category_details
properties.ActionTrigger security_result.detection_fields[action_trigger]
properties.DeliveryLocation security_result.detection_fields[delivery_location]
properties.DetectionMethods security_result.detection_fields[detection_methods]
properties.Action security_result.action_details
properties.ActionType security_result.verdict_info.verdict_type If the properties.ActionType log field value is equal to Manual Remediation, then the security_result.verdict_info.verdict_type UDM field is set to ANALYST_VERDICT.

Else, if the properties.ActionType log field contains one of the following values, then the security_result.verdict_info.verdict_type UDM field is set to PROVIDER_ML_VERDICT.
  • Phish ZAP
  • Malware ZAP
  • Spam ZAP
.
properties.RecipientEmailAddress target.user.email_addresses If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field.
properties.InternetMessageId additional.fields[internet_message_id]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailUrlInfo

The following table lists the log fields for the EmailUrlInfo log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.UrlDomain target.hostname
properties.Url target.url
properties.Timestamp metadata.event_timestamp
metadata.event_type The metadata.event_type UDM field is set to EMAIL_TRANSACTION.
properties.ReportId metadata.product_log_id
properties.NetworkMessageId network.email.mail_id
properties.UrlLocation additional.fields[url_location]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - IdentityInfo

The following table lists the log fields for the IdentityInfo log type and their corresponding UDM fields.

Log field UDM mapping Logic
properties.SourceSystem entity.resource.parent
properties.AccountDomain entity.administrative_domain
properties.TenantId entity.resource.product_object_id
properties.CreatedDateTime entity.user.attribute.creation_time
properties.AccountUpn entity.user.attribute.labels[account_upn]
properties.ChangeSource entity.user.attribute.labels[change_source]
properties.CloudSid entity.user.attribute.labels[cloud_sid]
properties.ReportId entity.user.attribute.labels[report_id]
properties.SipProxyAddress entity.user.attribute.labels[sip_proxy_address]
properties.SourceProvider entity.user.attribute.labels[source_provider]
properties.Tags entity.user.attribute.labels[tags]
properties.Type entity.user.attribute.role.name
properties.DistinguishedName entity.user.attributes.labels[distinguished_name]
properties.Department entity.user.department
properties.EmailAddress entity.user.email_addresses If the properties.EmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.EmailAddress log field is mapped to the entity.user.email_addresses UDM field.
properties.GivenName entity.user.first_name
properties.Surname entity.user.last_name
properties.Manager entity.user.managers.user_display_name
properties.City entity.user.personal_address.city
properties.Country entity.user.personal_address.country_or_region
properties.Address entity.user.personal_address.name
properties.Phone entity.user.phone_numbers
properties.AccountObjectId entity.user.product_object_id
properties.AssignedRoles entity.user.role_description
properties.JobTitle entity.user.title
properties.IsAccountEnabled entity.user.user_authentication_status If the properties.IsAccountEnabled log field value is equal to 1, then the entity.user.user_authentication_status UDM field is set to ACTIVE.

Else, the entity.user.user_authentication_status UDM field is set to SUSPENDED.
properties.AccountDisplayName entity.user.user_display_name
properties.AccountName entity.user.userid
properties.OnPremSid entity.user.attribute.labels[on_prem_sid]
properties.Timestamp metadata.creation_time
metadata.entity_type The metadata.entity_type UDM field is set to USER.
properties.AccountObjectId metadata.product_entity_id

What's next