Raccogliere i log di Microsoft Defender for Endpoint
Supportato in:
Google SecOps
SIEM
Questo documento descrive come raccogliere i log di Microsoft Defender for Endpoint configurando un feed di Google Security Operations e come i campi dei log vengono mappati ai campi del modello dei dati unificato (UDM) di Google SecOps.
Per ulteriori informazioni, vedi Importazione dei dati in Google SecOps.
Un deployment tipico è costituito da Microsoft Defender for Endpoint e dal feed di Google SecOps configurato per inviare i log a Google SecOps. Il tuo deployment potrebbe essere diverso da quello descritto in questo documento. Il deployment contiene i seguenti componenti:
Microsoft Defender for Endpoint: la piattaforma che raccoglie i log.
Azure Storage: la piattaforma che archivia i log.
Feed Google SecOps: il feed Google SecOps che recupera i log da Microsoft Defender for Endpoint e li scrive in Google SecOps.
Google SecOps: la piattaforma che conserva e analizza i log di Microsoft Defender for Endpoint.
Un'etichetta di importazione identifica l'analizzatore sintattico che normalizza i dati dei log non elaborati
in formato UDM strutturato. Le informazioni contenute in questo documento si applicano al parser con l'etichetta di importazione MICROSOFT_DEFENDER_ENDPOINT.
Prima di iniziare
- Imposta il fuso orario su UTC su tutti i sistemi nell'architettura di deployment.
- Assicurati di soddisfare i prerequisiti per l'utilizzo di Microsoft Defender for Endpoint. Per ulteriori informazioni, consulta i prerequisiti di Microsoft Defender XDR.
- Assicurati di aver configurato Microsoft Defender for Endpoint.
- Configura un account di archiviazione nel tuo tenant.
Configurare Microsoft Defender for Endpoint
- Accedi a security.microsoft.com come amministratore globale o amministratore della sicurezza.
- Nel riquadro a sinistra, fai clic su Impostazioni.
- Seleziona la scheda Microsoft Defender XDR.
- Seleziona API Streaming dalla sezione generale e fai clic su Aggiungi.
- Seleziona Inoltra gli eventi ad Azure Storage.
- Vai all'account di archiviazione che preferisci.
- Seleziona Panoramica > Visualizzazione JSON e inserisci l'ID risorsa.
- Dopo aver inserito l'ID risorsa, seleziona tutti i tipi di dati richiesti.
- Fai clic su Salva.
Configurare un feed in Google SecOps per importare i log di Microsoft Defender for Endpoint
- Vai a Impostazioni SIEM > Feed.
- Fai clic su Aggiungi nuova.
- Nel campo Nome feed, inserisci un nome per il feed (ad esempio Log di MS Defender).
- Seleziona Microsoft Azure Blob Storage come Tipo di origine.
- Seleziona Microsoft Defender for Endpoint come Tipo di log.
- Fai clic su Avanti.
- Configura i seguenti parametri di input:
- URI Azure: l'URI che punta a un blob o a un contenitore di Azure Blob Storage.
- L'URI è un: il tipo di oggetto indicato dall'URI.
- Opzione di eliminazione dell'origine: indica se eliminare file o directory dopo il trasferimento.
- Seleziona Chiave condivisa o Token SAS.
- Chiave/token: la chiave condivisa o il token SAS per accedere alle risorse Azure.
- Fai clic su Avanti, quindi su Invia.
Se riscontri problemi durante l'importazione dei log di Microsoft Defender for Endpoint, contatta l'assistenza Google SecOps.
Tipi di log di Microsoft Defender for Endpoint supportati
Il parser di Microsoft Defender for Endpoint supporta le seguenti tabelle:
- AlertEvidence
- AlertInfo
- DeviceAlertEvents
- DeviceEvents
- DeviceFileCertificateInfo
- DeviceFileEvents
- DeviceIdentityLogonEvents
- DeviceImageLoadEvents
- DeviceInfo
- DeviceLogonEvents
- DeviceNetworkEvents
- DeviceNetworkInfo
- DeviceProcessEvents
- DeviceRegistryEvents
- DeviceTvmInfoGathering
- DeviceTvmInfoGatheringKB
- DeviceTvmSecureConfigurationAssessment
- DeviceTvmSecureConfigurationAssessmentKB
- DeviceTvmSoftwareEvidenceBeta
- DeviceTvmSoftwareInventory
- DeviceTvmSoftwareVulnerabilities
- DeviceTvmSoftwareVulnerabilitiesKB
- EmailAttachmentInfo
- EmailEvents
- EmailPostDeliveryEvents
- EmailUrlInfo
- IdentityInfo
Riferimento alla mappatura dei campi
Questa sezione spiega in che modo il parser di Google Security Operations mappa i campi di Microsoft Defender for Endpoint ai campi UDM di Google Security Operations.
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Event Model
La tabella seguente elenca i campi di log comuni per il tipo di log MICROSOFT_DEFENDER_ENDPOINT e i relativi campi UDM:
| Common log field | UDM mapping | Logic |
|---|---|---|
time |
metadata.collected_timestamp |
|
category |
metadata.product_event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to Microsoft Defender for Endpoint. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Microsoft. |
Tenant |
observer.resource_ancestors.name |
|
tenantId |
observer.resource_ancestors.product_object_id |
|
operationName |
additional.fields[operation_name] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Entity Model
La tabella seguente elenca i campi di log comuni per il tipo di log MICROSOFT_DEFENDER_ENDPOINT e i relativi campi UDM:
| Common log field | UDM mapping | Logic |
|---|---|---|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Microsoft. |
|
metadata.product_name |
The metadata.product_name UDM field is set to Microsoft Defender for Endpoint. |
time |
metadata.collected_timestamp |
|
tenantId |
relations.entity.resource.product_object_id |
|
operationName |
additional.fields[operation_name] |
|
category |
metadata.description |
|
Tenant |
relations.entity.resource.name |
|
|
relations.entity_type |
The relations.entity_type UDM field is set to RESOURCE. |
|
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
|
relations.direction |
The relations.direction UDM field is set to UNIDIRECTIONAL. |
Riferimento alla mappatura dei campi: identificatore evento DeviceEvents a tipo di evento
La tabella seguente elenca i tipi di azioni di logDeviceEvents e i relativi tipi di eventi UDM.
| Event Identifier | Event Type |
|---|---|
UsbDriveDriveLetterChanged |
DEVICE_CONFIG_UPDATE |
AppControlAppInstallationAudited |
SCAN_HOST |
AsrExecutableOfficeContentAudited |
SCAN_HOST |
ShellLinkCreateFileEvent |
FILE_CREATION |
FileTimestampModificationEvent |
FILE_MODIFICATION |
PlistPropertyModified |
FILE_MODIFICATION |
SensitiveFileRead |
FILE_READ |
AsrUntrustedExecutableAudited |
SCAN_HOST |
AsrUntrustedExecutableBlocked |
SCAN_HOST |
DlpPocPrintJob |
FILE_UNCATEGORIZED |
RemovableStorageFileEvent |
FILE_UNCATEGORIZED |
DpapiAccessed |
GENERIC_EVENT |
ScreenshotTaken |
GENERIC_EVENT |
SecurityGroupCreated |
GROUP_CREATION |
SecurityGroupDeleted |
GROUP_DELETION |
UserAccountAddedToLocalGroup |
GROUP_MODIFICATION |
UserAccountRemovedFromLocalGroup |
GROUP_MODIFICATION |
ExploitGuardNetworkProtectionAudited |
SCAN_HOST |
ExploitGuardNetworkProtectionBlocked |
SCAN_HOST |
FirewallInboundConnectionBlocked |
NETWORK_CONNECTION |
FirewallInboundConnectionToAppBlocked |
NETWORK_CONNECTION |
FirewallOutboundConnectionBlocked |
NETWORK_CONNECTION |
RemoteDesktopConnection |
NETWORK_CONNECTION |
RemoteWmiOperation |
NETWORK_CONNECTION |
UntrustedWifiConnection |
NETWORK_CONNECTION |
DnsQueryRequest |
NETWORK_DNS |
DnsQueryResponse |
NETWORK_DNS |
NetworkShareObjectAdded |
NETWORK_UNCATEGORIZED |
AppGuardBrowseToUrl |
SCAN_HOST |
BrowserLaunchedToOpenUrl |
NETWORK_UNCATEGORIZED |
NetworkProtectionUserBypassEvent |
NETWORK_UNCATEGORIZED |
NetworkShareObjectAccessChecked |
NETWORK_UNCATEGORIZED |
NetworkShareObjectDeleted |
NETWORK_UNCATEGORIZED |
NetworkShareObjectModified |
NETWORK_UNCATEGORIZED |
AsrOfficeProcessInjectionAudited |
SCAN_HOST |
AppGuardCreateContainer |
SCAN_HOST |
AppGuardLaunchedWithUrl |
SCAN_HOST |
AsrAdobeReaderChildProcessAudited |
SCAN_HOST |
AsrAdobeReaderChildProcessBlocked |
SCAN_HOST |
AsrExecutableEmailContentAudited |
SCAN_HOST |
AsrOfficeChildProcessAudited |
SCAN_HOST |
AsrOfficeCommAppChildProcessAudited |
SCAN_HOST |
AsrPsexecWmiChildProcessAudited |
SCAN_HOST |
AsrScriptExecutableDownloadAudited |
SCAN_HOST |
AsrUntrustedUsbProcessAudited |
SCAN_HOST |
ExploitGuardChildProcessAudited |
SCAN_HOST |
ExploitGuardLowIntegrityImageAudited |
SCAN_HOST |
PowerShellCommand |
PROCESS_LAUNCH |
ProcessCreatedUsingWmiQuery |
PROCESS_LAUNCH |
QueueUserApcRemoteApiCall |
PROCESS_LAUNCH |
GetClipboardData |
STATUS_UPDATE |
OpenProcessApiCall |
PROCESS_OPEN |
ScriptContent |
PROCESS_LAUNCH |
AppControlAppInstallationBlocked |
SCAN_HOST |
AppGuardSuspendContainer |
SCAN_HOST |
AppGuardStopContainer |
SCAN_HOST |
AppLockerBlockExecutable |
PROCESS_UNCATEGORIZED |
AsrObfuscatedScriptAudited |
SCAN_HOST |
AsrObfuscatedScriptBlocked |
SCAN_HOST |
AsrOfficeChildProcessBlocked |
SCAN_HOST |
AsrOfficeProcessInjectionBlocked |
SCAN_HOST |
AsrPsexecWmiChildProcessBlocked |
SCAN_HOST |
AsrScriptExecutableDownloadBlocked |
SCAN_HOST |
AsrUntrustedUsbProcessBlocked |
SCAN_HOST |
ExploitGuardChildProcessBlocked |
SCAN_HOST |
ExploitGuardLowIntegrityImageBlocked |
SCAN_HOST |
ExploitGuardSharedBinaryAudited |
SCAN_HOST |
ExploitGuardSharedBinaryBlocked |
SCAN_HOST |
MemoryRemoteProtect |
PROCESS_UNCATEGORIZED |
NamedPipeEvent |
PROCESS_UNCATEGORIZED |
NtAllocateVirtualMemoryApiCall |
PROCESS_UNCATEGORIZED |
NtAllocateVirtualMemoryRemoteApiCall |
PROCESS_UNCATEGORIZED |
NtMapViewOfSectionRemoteApiCall |
PROCESS_UNCATEGORIZED |
NtProtectVirtualMemoryApiCall |
PROCESS_UNCATEGORIZED |
ProcessPrimaryTokenModified |
PROCESS_UNCATEGORIZED |
PTraceDetected |
PROCESS_UNCATEGORIZED |
ReadProcessMemoryApiCall |
PROCESS_UNCATEGORIZED |
SetThreadContextRemoteApiCall |
PROCESS_UNCATEGORIZED |
WriteProcessMemoryApiCall |
PROCESS_UNCATEGORIZED |
WriteToLsassProcessMemory |
PROCESS_UNCATEGORIZED |
AsrOfficeCommAppChildProcessBlocked |
SCAN_HOST |
AppControlCIScriptAudited |
SCAN_HOST |
AppControlCIScriptBlocked |
SCAN_HOST |
AppControlCodeIntegrityImageAudited |
SCAN_HOST |
AppControlCodeIntegrityImageRevoked |
SCAN_HOST |
AppControlCodeIntegrityOriginAllowed |
SCAN_HOST |
AppControlCodeIntegrityOriginAudited |
SCAN_HOST |
AppControlCodeIntegrityOriginBlocked |
SCAN_HOST |
AppControlScriptAudited |
SCAN_HOST |
AppControlScriptBlocked |
SCAN_HOST |
AsrExecutableEmailContentBlocked |
SCAN_HOST |
SafeDocFileScan |
SCAN_FILE |
AntivirusDefinitionsUpdated |
SCAN_HOST |
AntivirusDefinitionsUpdateFailed |
SCAN_HOST |
AntivirusDetection |
SCAN_HOST |
AntivirusDetectionActionType |
SCAN_HOST |
AntivirusEmergencyUpdatesInstalled |
SCAN_HOST |
AntivirusError |
SCAN_HOST |
AntivirusMalwareActionFailed |
SCAN_HOST |
AntivirusMalwareBlocked |
SCAN_HOST |
AntivirusReport |
SCAN_HOST |
AntivirusScanCancelled |
SCAN_HOST |
AntivirusScanCompleted |
SCAN_HOST |
AntivirusScanFailed |
SCAN_HOST |
AntivirusTroubleshootModeEvent |
SCAN_HOST |
AppControlCodeIntegrityDriverRevoked |
SCAN_HOST |
AppControlCodeIntegrityPolicyAudited |
SCAN_HOST |
AppControlCodeIntegrityPolicyBlocked |
SCAN_HOST |
AppControlCodeIntegrityPolicyLoaded |
SCAN_HOST |
AppControlCodeIntegritySigningInformation |
SCAN_HOST |
AppControlExecutableAudited |
SCAN_HOST |
AppControlExecutableBlocked |
SCAN_HOST |
AppControlPackagedAppAudited |
SCAN_HOST |
AppControlPackagedAppBlocked |
SCAN_HOST |
AccountCheckedForBlankPassword |
SCAN_UNCATEGORIZED |
SmartScreenAppWarning |
SCAN_UNCATEGORIZED |
SmartScreenExploitWarning |
SCAN_HOST |
SmartScreenUrlWarning |
SCAN_UNCATEGORIZED |
SmartScreenUserOverride |
SCAN_UNCATEGORIZED |
ScheduledTaskCreated |
SCHEDULED_TASK_CREATION |
ScheduledTaskDeleted |
SCHEDULED_TASK_DELETION |
ScheduledTaskDisabled |
SCHEDULED_TASK_DISABLE |
ScheduledTaskEnabled |
SCHEDULED_TASK_ENABLE |
ScheduledTaskUpdated |
SCHEDULED_TASK_MODIFICATION |
ServiceInstalled |
SERVICE_CREATION |
DirectoryServiceObjectCreated |
SERVICE_MODIFICATION |
DirectoryServiceObjectModified |
SERVICE_MODIFICATION |
AuditPolicyModification |
SERVICE_MODIFICATION |
CreateRemoteThreadApiCall |
PROCESS_UNCATEGORIZED |
CredentialsBackup |
SERVICE_START |
FirewallServiceStopped |
SERVICE_STOP |
BitLockerAuditCompleted |
SERVICE_UNSPECIFIED |
AppControlPolicyApplied |
SCAN_HOST |
AppGuardResumeContainer |
SCAN_HOST |
AppLockerBlockPackagedApp |
STATUS_UPDATE |
AppLockerBlockPackagedAppInstallation |
STATUS_UPDATE |
AppLockerBlockScript |
STATUS_UPDATE |
AsrExecutableOfficeContentBlocked |
SCAN_HOST |
AsrLsassCredentialTheftAudited |
SCAN_HOST |
AsrLsassCredentialTheftBlocked |
SCAN_HOST |
AsrOfficeMacroWin32ApiCallsAudited |
SCAN_HOST |
AsrOfficeMacroWin32ApiCallsBlocked |
SCAN_HOST |
AsrPersistenceThroughWmiAudited |
SCAN_HOST |
AsrPersistenceThroughWmiBlocked |
SCAN_HOST |
AsrRansomwareAudited |
SCAN_HOST |
AsrRansomwareBlocked |
SCAN_HOST |
AsrVulnerableSignedDriverAudited |
SCAN_HOST |
AsrVulnerableSignedDriverBlocked |
SCAN_HOST |
BluetoothPolicyTriggered |
STATUS_UPDATE |
ClrUnbackedModuleLoaded |
PROCESS_MODULE_LOAD |
ControlFlowGuardViolation |
STATUS_UPDATE |
DeviceBootAttestationInfo |
STATUS_UPDATE |
DriverLoad |
PROCESS_MODULE_LOAD |
ExploitGuardEafViolationAudited |
SCAN_HOST |
ExploitGuardEafViolationBlocked |
SCAN_HOST |
ExploitGuardIafViolationAudited |
SCAN_HOST |
ExploitGuardIafViolationBlocked |
SCAN_HOST |
ExploitGuardNonMicrosoftSignedAudited |
SCAN_HOST |
ExploitGuardNonMicrosoftSignedBlocked |
SCAN_HOST |
ExploitGuardRopExploitAudited |
SCAN_HOST |
ExploitGuardRopExploitBlocked |
SCAN_HOST |
ExploitGuardWin32SystemCallAudited |
SCAN_HOST |
ExploitGuardWin32SystemCallBlocked |
SCAN_HOST |
GetAsyncKeyStateApiCall |
STATUS_UPDATE |
OtherAlertRelatedActivity |
STATUS_UPDATE |
PnpDeviceAllowed |
DEVICE_CONFIG_UPDATE |
PnpDeviceBlocked |
STATUS_UPDATE |
PnpDeviceConnected |
STATUS_UPDATE |
PrintJobBlocked |
STATUS_UPDATE |
RemovableStoragePolicyTriggered |
STATUS_UPDATE |
SecurityLogCleared |
SYSTEM_AUDIT_LOG_WIPE |
TvmAxonTelemetryEvent |
STATUS_UPDATE |
UsbDriveMount |
DEVICE_CONFIG_UPDATE |
UsbDriveMounted |
DEVICE_CONFIG_UPDATE |
UsbDriveUnmount |
DEVICE_CONFIG_UPDATE |
UsbDriveUnmounted |
DEVICE_CONFIG_UPDATE |
WmiBindEventFilterToConsumer |
STATUS_UPDATE |
TamperingAttempt |
SETTING_MODIFICATION |
PasswordChangeAttempt |
USER_CHANGE_PASSWORD |
LogonRightsSettingEnabled |
USER_CHANGE_PERMISSIONS |
UserAccountCreated |
USER_CREATION |
UserAccountDeleted |
USER_DELETION |
LdapSearch |
STATUS_UPDATE |
ControlledFolderAccessViolationAudited |
SCAN_FILE |
ControlledFolderAccessViolationBlocked |
SCAN_FILE |
ExploitGuardAcgAudited |
SCAN_HOST |
ExploitGuardAcgEnforced |
SCAN_HOST |
UserAccountModified |
USER_UNCATEGORIZED |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceEvents
La tabella seguente elenca i campi dei log per il tipo di logDeviceEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
properties.ActionType |
metadata.event_type |
|
properties.ReportId |
metadata.product_log_id |
|
properties.LogonId |
network.session_id |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the target.administrative_domain UDM field.
properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the principal.administrative_domain UDM field. |
properties.AccountDomain |
principal.administrative_domain |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.AccountDomain log field is mapped to the target.administrative_domain UDM field.
properties.InitiatingProcessAccountDomain log field value is empty, then the properties.AccountDomain log field is mapped to the principal.administrative_domain UDM field. |
properties.DeviceName |
principal.hostname |
|
properties.LocalIP |
principal.ip |
|
properties.FileOriginIP |
principal.ip |
|
properties.LocalPort |
principal.port |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.FileOriginUrl |
principal.url |
|
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the target.user.userid UDM field.
properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the principal.user.userid UDM field. |
properties.AccountName |
principal.user.userid |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountName log field value is empty, then the properties.AccountName log field is mapped to the target.user.userid UDM field.
properties.InitiatingProcessAccountName log field value is empty, then the properties.AccountName log field is mapped to the principal.user.userid UDM field. |
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the target.user.windows_sid UDM field.
properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the principal.user.windows_sid UDM field. |
properties.AccountSid |
principal.user.windows_sid |
If the properties.ActionType log field contains one of the following values, and the properties.InitiatingProcessAccountSid log field value is empty, then the properties.AccountSid log field is mapped to the target.user.windows_sid UDM field.
properties.InitiatingProcessAccountSid log field value is empty, then the properties.AccountSid log field is mapped to the principal.user.windows_sid UDM field. |
properties.ActionType |
security_result.action |
If the properties.ActionType log field value matches the regular expression pattern (?i)Allow, then the security_result.action UDM field is set to ALLOW.Else if the properties.ActionType log field value matches the regular expression pattern (?i)Block, then the security_result.action UDM field is set to BLOCK.Else if the properties.ActionType log field value matches the regular expression pattern (?i)Fail, then the security_result.action UDM field is set to FAIL. |
properties.FolderPath |
target.file.full_path |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.FolderPath log field value matches the regular expression pattern the then, properties.FolderPath log field is mapped to the target.process.file.full_path UDM field. Else, %{properties.FolderPath}\%{properties.FileName} log field is mapped to the target.process.file.full_path UDM field. Else, if the properties.FolderPath log field value matches the regular expression pattern the then, properties.FolderPath log field is mapped to the target.file.full_path UDM field. Else, %{properties.FolderPath}\%{properties.FileName} log field is mapped to the target.file.full_path UDM field. |
properties.MD5 |
target.file.md5 |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.MD5 log field is mapped to the target.process.file.md5 UDM field. Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.MD5 log field is mapped to the target.file.md5 UDM field. |
properties.FileName |
target.file.names |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileName log field is mapped to the target.process.file.names UDM field. Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileName log field is mapped to the target.file.names UDM field. |
properties.SHA1 |
target.file.sha1 |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.SHA1 log field is mapped to the target.process.file.sha1 UDM field. Else, if the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ then, properties.SHA256 log field is mapped to the target.process.file.sha256 UDM field. Else, if the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ then, properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
If the properties.RemoteDeviceName log field value contain one of the following values
properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileSize log field is mapped to the target.process.file.size UDM field. Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ then, properties.FileSize log field is mapped to the target.file.size UDM field. |
properties.RemoteDeviceName |
target.hostname |
|
properties.RemoteIP |
target.ip |
|
properties.RemotePort |
target.port |
|
properties.ProcessCommandLine |
target.process.command_line |
|
properties.ProcessId |
target.process.pid |
|
properties.ProcessTokenElevation |
target.process.token_elevation_type |
If the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the target.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the target.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the target.process.token_elevation_type UDM field is set to TYPE_3. |
properties.RegistryKey |
target.registry.registry_key |
|
properties.RegistryValueData |
target.registry.registry_value_data |
|
properties.RegistryValueName |
target.registry.registry_value_name |
|
properties.RemoteUrl |
target.url |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessLogonId |
additional.fields[initiating_process_logon_id] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.ProcessCreationTime |
additional.fields[process_creation_time] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[process_version_info_product_version] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - AlertEvidence
La tabella seguente elenca i campi dei log per il tipo di logAlertEvidence e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Application |
additional.fields[application] |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_HOST. |
properties.DeviceId |
principal.asset_id |
If the properties.DeviceId log field value is not empty, then the DeviceID:properties.DeviceId log field is mapped to the principal.asset_id UDM field. |
properties.DeviceName |
principal.hostname |
If the properties.DeviceName log field value is not empty then, properties.DeviceName log field is mapped to the principal.hostname UDM field. Else, if the properties.AdditionalFields.HostName log field value is not empty then, properties.AdditionalFields.HostName log field is mapped to the principal.hostname UDM field. Else, if the properties.AdditionalFields.Host.HostName log field value is not empty then, properties.AdditionalFields.Host.HostName log field is mapped to the principal.hostname UDM field. Else, if the properties.AdditionalFields.ImageFile.Host.HostName log field value is not empty then, AdditionalFields.ImageFile.Host.HostName log field is mapped to the principal.hostname UDM field. |
properties.LocalIP |
principal.asset.ip |
If the properties.LocalIP log field value is not empty, then the properties.LocalIP log field is mapped to the principal.asset.ip UDM field. |
properties.FolderPath |
target.file.full_path |
If the properties.FileName log field value matches the regular expression pattern the properties.FolderPath, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the properties.FolderPath/properties.FileName log field is mapped to the target.file.full_path UDM field. |
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^the , then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^the , then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.AccountDomain |
principal.administrative_domain |
|
properties.RemoteIP |
target.ip |
|
properties.AdditionalFields |
additional.fields[additionalfields] |
|
properties.ProcessCommandLine |
target.process.command_line |
|
properties.RegistryKey |
target.registry.registry_key |
|
properties.RegistryValueData |
target.registry.registry_value_data |
|
properties.RegistryValueName |
target.registry.registry_value_name |
|
properties.CloudPlatform |
principal.resource.attribute.cloud.environment |
If the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Amazon Web Services/, then the principal.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES.Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Google Cloud Platform/, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Azure/, then the principal.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE.Else, the principal.resource.attribute.cloud.environment UDM field is set to UNSPECIFIED_CLOUD_ENVIRONMENT. |
properties.SubscriptionId |
principal.resource.attribute.labels[subscription_id] |
|
properties.CloudResource |
principal.resource.name |
|
properties.ResourceID |
principal.resource.product_object_id |
|
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to CLOUD_PROJECT. |
properties.Categories |
security_result.category_details |
|
properties.Severity |
security_result.severity |
|
properties.Title |
security_result.summary |
|
properties.Title |
security_result.threat_name |
|
properties.Title |
security_result.rule_name |
|
properties.ThreatFamily |
security_result.detection_fields[threat_family] |
|
properties.RemoteUrl |
target.url |
|
properties.EvidenceDirection |
principal.user.attribute.labels[evidence_direction] |
|
properties.EvidenceRole |
principal.user.attribute.labels[evidence_role] |
|
properties.AccountObjectId |
additional.fields[account_object_id] |
|
properties.AccountUpn |
principal.user.user_display_name |
|
properties.AccountName |
principal.user.userid |
|
properties.AccountSid |
principal.user.windows_sid |
|
properties.Timestamp |
metadata.event_timestamp |
|
properties.EntityType |
principal.resource.resource_subtype |
|
properties.AlertId |
metadata.product_log_id |
|
properties.DetectionSource |
security_result.about.resource.attribute.labels[detection_source] |
|
properties.ServiceSource |
security_result.about.resource.attribute.labels[service_source] |
|
properties.AttackTechniques |
security_result.attack_details.techniques.name |
|
properties.ApplicationId |
additional.fields[application_id] |
|
properties.EmailSubject |
network.email.subject |
|
properties.NetworkMessageId |
network.email.mail_id |
|
properties.OAuthApplicationId |
additional.fields[oauth_application_id] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - AlertInfo
La tabella seguente elenca i campi dei log per il tipo di logAlertInfo e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
|
is_alert |
The is_alert UDM field is set to true. |
|
is_significant |
The is_significant UDM field is set to true. |
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.AlertId |
metadata.product_log_id |
|
properties.AttackTechniques |
security_result.attack_details.techniques.name |
|
properties.DetectionSource |
security_result.detection_fields[detection_source] |
|
properties.ServiceSource |
security_result.detection_fields[service_source] |
|
properties.Severity |
security_result.severity |
If the properties.Severity log field value matches the regular expression pattern (?i)(informational), then the security_result.severity UDM field is set to INFORMATIONAL.Else, if the properties.Severity log field value matches the regular expression pattern (?i)(low), then the security_result.severity UDM field is set to LOW.Else, if the properties.Severity log field value matches the regular expression pattern (?i)(medium), then the security_result.severity UDM field is set to MEDIUM.Else, if the properties.Severity log field value matches the regular expression pattern (?i)(high), then the security_result.severity UDM field is set to HIGH. |
properties.Category |
security_result.category_details |
|
properties.Title |
security_result.threat_name |
|
properties.Title |
security_result.rule_name |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceAlertEvents
La tabella seguente elenca i campi dei log per il tipo di logDeviceAlertEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
|
is_alert |
The is_alert UDM field is set to true. |
|
is_significant |
The is_significant UDM field is set to true. |
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_HOST. |
properties.ReportId |
security_result.detection_fields[report_id] |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.MachineGroup |
principal.group.group_display_name |
|
properties.DeviceName |
principal.hostname |
|
properties.AttackTechniques |
security_result.attack_details.techniques.name |
|
properties.Category |
security_result.category_details |
|
properties.AlertId |
metadata.product_log_id |
|
properties.MitreTechniques |
security_result.detection_fields[mitre_techniques] |
|
properties.Severity |
security_result.severity |
If the properties.Severity log field value is equal to High, then the security_result.severity UDM field is set to HIGH.Else, if the properties.Severity log field value is equal to Medium, then the security_result.severity UDM field is set to MEDIUM.Else, if the properties.Severity log field value is equal to Low, then the security_result.severity UDM field is set to LOW.Else, if the properties.Severity log field value is equal to Informational, then the security_result.severity UDM field is set to INFORMATIONAL. |
properties.Title |
security_result.threat_name |
|
properties.Title |
security_result.rule_name |
|
properties.RemoteIp |
target.ip |
|
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.RemoteUrl |
target.url |
|
properties.Table |
additional.fields[table] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceFileCertificateInfo
La tabella seguente elenca i campi dei log per il tipo di logDeviceFileCertificateInfo e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE. |
properties.ReportId |
metadata.product_log_id |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.SHA1 |
principal.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.Issuer |
principal.file.signature_info.sigcheck.signers.cert_issuer |
|
properties.Signer |
principal.file.signature_info.sigcheck.signers.name |
|
properties.IsSigned |
principal.file.signature_info.sigcheck.verified |
If the properties.IsSigned log field value is equal to true, then the principal.file.signature_info.sigcheck.verified UDM field is set to TRUE.Else, the principal.file.signature_info.sigcheck.verified UDM field is set to FALSE. |
properties.DeviceName |
principal.hostname |
|
properties.CertificateCountersignatureTime |
additional.fields[certificate_countersignature_time] |
|
properties.CertificateSerialNumber |
additional.fields[certificate_serial_number] |
|
properties.CertificateCreationTime |
additional.fields[certification_creation_time] |
|
properties.CertificateExpirationTime |
additional.fields[certification_expiration_time] |
|
properties.CrlDistributionPointUrls |
additional.fields[crl_distribution_point_urls] |
|
properties.IsRootSignerMicrosoft |
additional.fields[is_root_signer_microsoft] |
|
properties.IsTrusted |
additional.fields[is_trusted] |
|
properties.IssuerHash |
additional.fields[issuer_hash] |
|
properties.SignatureType |
additional.fields[signature_type] |
|
properties.SignerHash |
additional.fields[signer_hash] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceImageLoadEvents
La tabella seguente elenca i campi dei log per il tipo di logDeviceImageLoadEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to PROCESS_MODULE_LOAD. |
properties.ReportId |
metadata.product_log_id |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
principal.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{principal.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.FolderPath |
target.process.file.full_path |
If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName, then the properties.FolderPath log field is mapped to the target.process.file.full_path UDM field.Else, the target.process.file.full_pathis set to %{properties.FolderPath}/%{properties.FileName}. |
properties.MD5 |
target.process.file.md5 |
If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.process.file.md5 UDM field. |
properties.FileName |
target.process.file.names |
|
properties.SHA1 |
target.process.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.process.file.sha1 UDM field. |
properties.SHA256 |
target.process.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.process.file.sha256 UDM field. |
properties.FileSize |
target.process.file.size |
|
properties.FolderPath |
target.file.full_path |
If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the target.file.full_pathis set to %{properties.FolderPath}/%{properties.FileName}. |
properties.MD5 |
target.file.md5 |
If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.process.file.md5 UDM field. |
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceFileEvents
La tabella seguente elenca i campi dei log per il tipo di logDeviceFileEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
properties.ActionType |
metadata.event_type |
If the properties.ActionType log field value is equal to FileCreated, then the metadata.event_type UDM field is set to FILE_CREATION.Else, if the properties.ActionType log field value is equal to FileDeleted, then the metadata.event_type UDM field is set to FILE_DELETION.Else, if the properties.ActionType log field value is equal to FileModified, then the metadata.event_type UDM field is set to FILE_MODIFICATION.Else, if the properties.ActionType log field value is equal to FileRenamed, then the metadata.event_type UDM field is set to FILE_MOVE. |
properties.ReportId |
metadata.product_log_id |
|
properties.RequestProtocol |
network.application_protocol |
If the properties.RequestProtocol log field value is equal to SMB, then the network.application_protocol UDM field is set to SMB.Else, if the properties.RequestProtocol log field value is equal to NFS, then the network.application_protocol UDM field is set to NFS.Else, if the properties.RequestProtocol log field value is equal to Local, then the network.application_protocol UDM field is set to UNKNOWN_APPLICATION_PROTOCOL. |
properties.FileOriginReferrerUrl |
network.http.referral_url |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
If the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the principal.administrative_domain UDM field. |
properties.RequestAccountDomain |
principal.administrative_domain |
If the properties.InitiatingProcessAccountDomain log field value is empty, then the properties.RequestAccountDomain log field is mapped to the principal.administrative_domain UDM field. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.FileOriginIP |
principal.ip |
|
properties.RequestSourceIP |
principal.ip |
|
properties.RequestSourcePort |
principal.port |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.FileOriginUrl |
principal.url |
|
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
If the properties.InitiatingProcessAccountName log field value is not empty, then the properties.InitiatingProcessAccountName log field is mapped to the principal.user.userid UDM field. |
properties.RequestAccountName |
principal.user.userid |
If the properties.InitiatingProcessAccountName log field value is empty, then the properties.RequestAccountName log field is mapped to the principal.user.userid UDM field. |
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
If the properties.InitiatingProcessAccountSid log field value is not empty, then the properties.InitiatingProcessAccountSid log field is mapped to the principal.user.windows_sid UDM field. |
properties.RequestAccountSid |
principal.user.windows_sid |
If the properties.InitiatingProcessAccountSid log field value is empty, then the properties.RequestAccountSid log field is mapped to the principal.user.windows_sid UDM field. |
properties.PreviousFolderPath |
src.file.full_path |
If the properties.PreviousFolderPath log field value matches the regular expression pattern the properties.PreviousFileName log field value, then the properties.PreviousFolderPath log field is mapped to the src.file.full_path UDM field.Else, src.file.full_path set to the %{properties.PreviousFolderPath}/%{properties.PreviousFileName}. |
properties.PreviousFileName |
src.file.names |
|
properties.FolderPath |
target.file.full_path |
If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the target.file.full_path set to %{properties.FolderPath}/%{properties.FileName}. |
properties.MD5 |
target.file.md5 |
If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.file.md5 UDM field. |
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.SensitivityLabel |
target.file.tags |
|
properties.SensitivitySubLabel |
target.file.tags |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.IsAzureInfoProtectionApplied |
additional.fields[is_azure_info_protection_applied] |
|
properties.ShareName |
additional.fields[share_name] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceInfo
La tabella seguente elenca i campi dei log per il tipo di logDeviceInfo e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.DeviceId |
entity.asset_id |
The entity.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceId |
entity.asset.asset_id |
The entity.asset.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.AadDeviceId |
entity.asset.attribute.labels[aad_device_id] |
|
properties.AdditionalFields |
entity.asset.attribute.labels[additional_fields] |
|
properties.ConnectivityType |
entity.asset.attribute.labels[connectivity_type] |
|
properties.DeviceDynamicTags |
entity.asset.attribute.labels[device_dynamic_tags] |
|
properties.DeviceManualTags |
entity.asset.attribute.labels[device_manual_tags] |
|
properties.DeviceSubtype |
entity.asset.attribute.labels[device_subtype] |
|
properties.HostDeviceId |
entity.asset.attribute.labels[host_device_id] |
|
properties.IsAzureADJoined |
entity.asset.attribute.labels[is_azure_ad_joined] |
|
properties.IsInternetFacing |
entity.asset.attribute.labels[is_internet_facing] |
|
properties.JoinType |
entity.asset.attribute.labels[join_type] |
|
properties.MergedDeviceIds |
entity.asset.attribute.labels[merged_device_ids] |
|
properties.MergedToDeviceId |
entity.asset.attribute.labels[merged_to_device_id] |
|
properties.OnboardingStatus |
entity.asset.attribute.labels[onboarding_status] |
|
properties.OSArchitecture |
entity.asset.attribute.labels[os_architecture] |
|
properties.OSDistribution |
entity.asset.attribute.labels[os_distribution] |
|
properties.OSVersionInfo |
entity.asset.attribute.labels[os_version_info] |
|
properties.RegistryDeviceTag |
entity.asset.attribute.labels[registry_divice_tag] |
|
properties.ReportId |
entity.asset.attribute.labels[report_id] |
|
properties.SensorHealthState |
entity.asset.attribute.labels[sensor_health_state] |
|
properties.DeviceCategory |
entity.asset.category |
|
properties.Vendor |
entity.asset.hardware.manufacturer |
|
properties.Model |
entity.asset.hardware.model |
|
properties.DeviceName |
entity.asset.hostname |
|
properties.PublicIP |
entity.asset.nat_ip |
|
properties.OSBuild |
entity.asset.platform_software.plateform_patch_level |
|
properties.OSPlatform |
entity.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the entity.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the entity.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the entity.asset.platform_software.platform UDM field is set to LINUX. |
properties.OSVersion |
entity.asset.platform_software.platform_version |
|
properties.ClientVersion |
entity.asset.software.version |
|
properties.DeviceType |
entity.asset.type |
If the properties.DeviceType log field value is equal to NetworkDevice, then the entity.asset.type UDM field is set to NETWORK_ATTACHED_STORAGE.Else, if the properties.DeviceType log field value is equal to Workstation, then the entity.asset.type UDM field is set to WORKSTATION.Else, if the properties.DeviceType log field value is equal to Server, then the entity.asset.type UDM field is set to SERVER.Else, if the properties.DeviceType log field value is equal to Mobile, then the entity.asset.type UDM field is set to MOBILE.Else if the properties.DeviceType log field value is equal to Printer, then the entity.asset.type UDM field is set to PRINTER. |
properties.DeviceType |
entity.asset.attribute.labels |
if the properties.DeviceType log field value is equal to GamingConsole, then the properties.DeviceType log field is mapped to the entity.asset.attribute.labels UDM field. |
properties.MachineGroup |
entity.group.group_display_name |
|
properties.ExclusionReason |
entity.security_result.detection_fields[exclusion_reason] |
|
properties.ExposureLevel |
entity.security_result.detection_fields[exposure_level] |
|
properties.IsExcluded |
entity.security_result.detection_fields[is_excluded] |
|
properties.AssetValue |
entity.security_result.priority |
If the properties.AssetValue log field value is equal to High, then the entity.security_result.priority UDM field is set to HIGH_PRIORITY.Else, if the properties.AssetValue log field value is equal to Medium, then the entity.security_result.priority UDM field is set to MEDIUM_PRIORITY.Else, if the properties.AssetValue log field value is equal to Low, then the entity.security_result.priority UDM field is set to LOW_PRIORITY.Else, the properties.AssetValue log field is mapped to the entity.security_result.detection_fields.asset_value UDM field. |
properties.Timestamp |
metadata.creation_timestamp |
|
|
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET. |
properties.DeviceId |
metadata.product_entity_id |
The metadata.product_entity_id is set to DeviceID:%{properties.DeviceId}. |
|
relations.direction |
The relations.direction UDM field is set to UNIDIRECTIONAL. |
|
relations.entity_type |
The relations.entity_type UDM field is set to USER. |
|
relations.relationship |
The relations.relationship UDM field is set to MEMBER. |
properties.LoggedOnUsers.DomainName |
relations.entity.domain.name |
|
properties.LoggedOnUsers.UserName |
relations.entity.user.userid |
|
properties.LoggedOnUsers.Sid |
relations.entity.user.windows_sid |
|
properties.LoggedOnUsers |
|
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceIdentityLogonEvents
La tabella seguente elenca i campi dei log per il tipo di logDeviceIdentityLogonEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Application |
additional.fields[application] |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_HOST. |
properties.DeviceId |
principal.asset_id |
If the properties.DeviceId log field value is not empty, then the AssetID:properties.DeviceId log field is mapped to the principal.asset_id UDM field. else, then the AssetID:properties.AdditionalFields.MachineId log field is mapped to the principal.asset_id UDM field. |
properties.DeviceName |
principal.hostname |
If the properties.DeviceName log field value is not empty, then the properties.DeviceName log field is mapped to the principal.hostname UDM field. |
properties.LocalIP |
principal.asset.ip |
If the properties.LocalIP log field value is not empty, then the properties.LocalIP log field is mapped to the principal.asset.ip UDM field. |
properties.FolderPath |
target.file.full_path |
If the properties.FileName log field value matches the regular expression pattern the properties.FolderPath, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the properties.FolderPath/properties.FileName log field is mapped to the target.file.full_path UDM field. |
properties.FileName |
target.file.names |
|
properties.SHA1 |
target.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^the , then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^the , then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.AccountDomain |
principal.administrative_domain |
|
properties.RemoteIP |
target.ip |
|
properties.AdditionalFields |
additional.fields[additionalfields] |
|
properties.ProcessCommandLine |
target.process.command_line |
|
properties.RegistryKey |
target.registry.registry_key |
|
properties.RegistryValueData |
target.registry.registry_value_data |
|
properties.RegistryValueName |
target.registry.registry_value_name |
|
properties.CloudPlatform |
principal.resource.attribute.cloud.environment |
If the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Amazon Web Services/, then the principal.resource.attribute.cloud.environment UDM field is set to AMAZON_WEB_SERVICES.Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Google Cloud Platform/, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM.Else, if the properties.CloudPlatform log field value matches the regular expression pattern /(?i)Azure/, then the principal.resource.attribute.cloud.environment UDM field is set to MICROSOFT_AZURE.Else, the principal.resource.attribute.cloud.environment UDM field is set to UNSPECIFIED_CLOUD_ENVIRONMENT. |
properties.SubscriptionId |
principal.resource.attribute.labels[subscription_id] |
|
properties.CloudResource |
principal.resource.name |
|
properties.ResourceID |
principal.resource.product_object_id |
|
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to CLOUD_PROJECT. |
properties.Categories |
security_result.category_details |
|
properties.Severity |
security_result.severity |
|
properties.Title |
security_result.summary |
|
properties.ThreatFamily |
security_result.threat_name |
|
properties.RemoteUrl |
target.url |
|
properties.EvidenceDirection |
principal.user.attribute.labels[evidence_direction] |
|
properties.EvidenceRole |
principal.user.attribute.labels[evidence_role] |
|
properties.AccountObjectId |
additional.fields[account_object_id] |
|
properties.AccountUpn |
principal.user.user_display_name |
|
properties.AccountName |
principal.user.userid |
|
properties.AccountSid |
principal.user.windows_sid |
|
properties.Timestamp |
metadata.event_timestamp |
|
properties.EntityType |
principal.resource.resource_subtype |
|
properties.AlertId |
metadata.product_log_id |
|
properties.DetectionSource |
security_result.about.resource.attribute.labels[detection_source] |
|
properties.ServiceSource |
security_result.about.resource.attribute.labels[service_source] |
|
properties.AttackTechniques |
security_result.attack_details.techniques.name |
|
properties.ApplicationId |
additional.fields[application_id] |
|
properties.EmailSubject |
network.email.subject |
|
properties.NetworkMessageId |
network.email.mail_id |
|
properties.OAuthApplicationId |
additional.fields[oauth_application_id] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceLogonEvents
La tabella seguente elenca i campi dei log per il tipo di logDeviceLogonEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.LogonType |
extensions.auth.mechanism |
If the properties.LogonType log field value is equal to Interactive, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.Else, if the properties.LogonType log field value is equal to Network, then the extensions.auth.mechanism UDM field is set to NETWORK.Else, if the properties.LogonType log field value is equal to Batch, then the extensions.auth.mechanism UDM field is set to BATCH.Else, if the properties.LogonType log field value is equal to Service, then the extensions.auth.mechanism UDM field is set to SERVICE.Else, if the properties.LogonType log field value is equal to RemoteInteractive, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE. |
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN. |
properties.ReportId |
metadata.product_log_id |
|
properties.Protocol |
network.ip_protocol |
If the properties.Protocol log field value is equal to Tcp, then the network.ip_protocol UDM field is set to TCP.If the properties.Protocol log field value is equal to Udp, then the network.ip_protocol UDM field is set to UDP.If the properties.Protocol log field value is equal to Icmp, then the network.ip_protocol UDM field is set to ICMP. |
properties.LogonId |
network.session_id |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.FailureReason |
security_result.description |
|
properties.AccountDomain |
target.administrative_domain |
|
properties.RemoteDeviceName |
target.hostname |
|
properties.RemoteIP |
target.ip |
|
properties.RemotePort |
target.port |
|
properties.IsLocalAdmin |
target.resource.attribute.labels[is_local_admin] |
|
properties.AccountName |
target.user.userid |
|
properties.AccountSid |
target.user.windows_sid |
|
properties.RemoteIPType |
additional.fields[remote_ip_type] |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkEvents
La tabella seguente elenca i campi dei log per il tipo di logDeviceNetworkEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION. |
properties.ReportId |
metadata.product_log_id |
|
properties.Protocol |
network.ip_protocol |
If the properties.Protocol log field value is equal to Tcp, then the network.ip_protocol UDM field is set to TCP.Else, if the properties.Protocol log field value is equal to Udp, then the network.ip_protocol UDM field is set to UDP.Else, if the properties.Protocol log field value is equal to Icmp, then the network.ip_protocol UDM field is set to ICMP. |
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.LocalIP |
principal.ip |
|
properties.LocalPort |
principal.port |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.RemoteIP |
target.ip |
|
properties.RemotePort |
target.port |
|
properties.RemoteUrl |
target.url |
|
properties.LocalIPType |
additional_fields[LocalIPType] |
|
properties.RemoteIPType |
additional_fields[RemoteIPType] |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkInfo
La tabella seguente elenca i campi dei log per il tipo di logDeviceNetworkInfo e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
DeviceNetworkInfo |
|
|
properties.DeviceId |
entity.asset_id |
The entity.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceId |
entity.asset.asset_id |
The entity.asset.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.ReportId |
entity.asset.attribute.labels[report_id] |
|
properties.ConnectedNetworks |
entity.asset.attribute.labels[connected_networks] |
|
properties.MacAddress |
entity.asset.mac |
|
properties.NetworkAdapterName |
entity.asset.attribute.labels[network_adapter_name] |
|
properties.NetworkAdapterStatus |
entity.asset.attribute.labels[network_adapter_status] |
|
properties.NetworkAdapterType |
entity.asset.attribute.labels[network_adapter_type] |
|
properties.NetworkAdapterVendor |
entity.asset.attribute.labels[network_adapter_vendor] |
|
properties.TunnelType |
entity.asset.attribute.labels[tunnel_type] |
|
properties.DefaultGateways |
entity.asset.attribute.labels[default_gateways] |
|
properties.DeviceName |
entity.asset.hostname |
|
properties.IPAddresses |
entity.asset.ip |
|
|
entity.asset.type |
The entity.asset.type UDM field is set to WORKSTATION. |
properties.DnsAddresses |
entity.domain.last_dns_records.type |
The entity.domain.last_dns_records.type UDM field is set to ip_address. |
properties.DnsAddresses |
entity.domain.last_dns_records.value |
The properties.DnsAddresses log field is mapped to the entity.domain.last_dns_records.value UDM field. |
properties.IPv4Dhcp |
entity.network.dhcp.ciaddr |
If the properties.IPv4Dhcp log field value is not empty, then the properties.IPv4Dhcp log field is mapped to the entity.network.dhcp.ciaddr UDM field. Else, the properties.IPv6Dhcp log field is mapped to the entity.network.dhcp.ciaddr UDM field. |
properties.Timestamp |
metadata.creation_time |
|
|
metadata.entity_type |
The metadata.entity_type UDM field is set to ASSET. |
properties.DeviceId |
metadata.product_entity_id |
The metadata.product_entity_id is set to DeviceID:%{properties.DeviceId}. |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceProcessEvents
La tabella seguente elenca i campi dei log per il tipo di logDeviceProcessEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
properties.ActionType |
metadata.event_type |
If the properties.ActionType log field value matches the regular expression pattern (?i)ProcessCreated, then the metadata.event_type UDM field is set to PROCESS_LAUNCH.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)OpenProcess, then the metadata.event_type UDM field is set to PROCESS_OPEN. |
properties.ReportId |
metadata.product_log_id |
|
properties.LogonId |
network.session_id |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessSignatureStatus |
principal.process.file.signature_info.sigcheck.signers.status |
|
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3 |
properties.InitiatingProcessAccountObjectId |
principal.user.product_object_id |
|
properties.InitiatingProcessAccountUpn |
principal.user.user_display_name |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.AccountDomain |
target.administrative_domain |
|
properties.FolderPath |
target.file.full_path |
If the properties.FolderPath log field value matches the regular expression pattern the properties.FileName log field value, then the properties.FolderPath log field is mapped to the target.file.full_path UDM field.Else, the target.file.full_path set to %{properties.FolderPath}/%{properties.FileName}. |
properties.MD5 |
target.process.file.md5 |
If the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.MD5 log field is mapped to the target.file.md5 UDM field. |
properties.FileName |
target.process.file.names |
|
properties.SHA1 |
target.process.file.sha1 |
If the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.SHA1 log field is mapped to the target.file.sha1 UDM field. |
properties.SHA256 |
target.process.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.process.file.size |
|
properties.ProcessCommandLine |
target.process.command_line |
|
properties.ProcessId |
target.process.pid |
|
properties.ProcessTokenElevation |
target.process.token_elevation_type |
If the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the target.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the target.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the target.process.token_elevation_type UDM field is set to TYPE_3. |
properties.ProcessIntegrityLevel |
target.resource.attribute.labels[process_integrity_level] |
|
properties.AccountUpn |
target.user.user_display_name |
|
properties.AccountName |
target.user.userid |
|
properties.AccountSid |
target.user.windows_sid |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.AccountObjectId |
additional.fields[account_object_id] |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessLogonId |
additional.fields[initiating_process_logon_id] |
|
properties.InitiatingProcessSignerType |
additional.fields[initiating_process_signer_type] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
|
properties.ProcessCreationTime |
additional.fields[process_creation_time] |
|
properties.ProcessVersionInfoCompanyName |
target.process.file.exif_info.company |
|
properties.ProcessVersionInfoFileDescription |
target.process.file.exif_info.file_description |
|
properties.ProcessVersionInfoInternalFileName |
additional.fields[process_version_info_internal_file_name] |
|
properties.ProcessVersionInfoOriginalFileName |
target.process.file.exif_info.original_file |
|
properties.ProcessVersionInfoProductName |
target.process.file.exif_info.product |
|
properties.ProcessVersionInfoProductVersion |
additional.fields[process_version_info_product_version] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGathering
La tabella seguente elenca i campi dei log per il tipo di logDeviceTvmInfoGathering e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_HOST. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.OSPlatform |
principal.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
properties.OSPlatform |
principal.asset.platform_software.platform_version |
|
properties.DeviceName |
principal.hostname |
|
properties.LastSeenTime |
security.result.last_discovered_time |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceRegistryEvents
La tabella seguente elenca i campi dei log per il tipo di logDeviceRegistryEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
properties.ActionType |
metadata.event_type |
If the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyCreated, then the metadata.event_type UDM field is set to REGISTRY_CREATION.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyDeleted, then the metadata.event_type UDM field is set to REGISTRY_DELETION.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryKeyRenamed, then the metadata.event_type UDM field is set to REGISTRY_MODIFICATION.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryValueDeleted, then the metadata.event_type UDM field is set to REGISTRY_DELETION.Else, if the properties.ActionType log field value matches the regular expression pattern (?i)RegistryValueSet, then the metadata.event_type UDM field is set to REGISTRY_MODIFICATION.Else, the metadata.event_type UDM field is set to REGISTRY_UNCATEGORIZED. |
properties.ReportId |
metadata.product_log_id |
|
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
|
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DeviceName |
principal.hostname |
|
properties.InitiatingProcessCommandLine |
principal.process.command_line |
|
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field. |
properties.InitiatingProcessFileName |
principal.process.file.names |
|
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$, then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field. |
properties.InitiatingProcessFileSize |
principal.process.file.size |
|
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.names |
|
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
|
properties.InitiatingProcessId |
principal.process.pid |
|
properties.PreviousRegistryValueData |
principal.registry.registry_value_data |
|
properties.PreviousRegistryKey |
principal.registry.registry_key |
|
properties.PreviousRegistryValueName |
principal.registry.registry_value_name |
|
properties.InitiatingProcessAccountObjectId |
principal.user.attribute.labels[initiating_process_account_object_id] |
|
properties.InitiatingProcessAccountUpn |
principal.user.attribute.labels[initiating_process_account_upn] |
|
properties.InitiatingProcessAccountName |
principal.user.userid |
|
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
|
properties.InitiatingProcessTokenElevation |
principal.process.token_elevation_type |
If the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeFull, then the principal.process.token_elevation_type UDM field is set to TYPE_1.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeDefault, then the principal.process.token_elevation_type UDM field is set to TYPE_2.Else, if the properties.InitiatingProcessTokenElevation log field value is equal to TokenElevationTypeLimited, then the principal.process.token_elevation_type UDM field is set to TYPE_3. |
properties.RegistryValueData |
target.registry.registry_value_data |
|
properties.RegistryKey |
target.registry.registry_key |
|
properties.RegistryValueName |
target.registry.registry_value_name |
|
properties.InitiatingProcessCreationTime |
additional.fields[initiating_process_creation_time] |
|
properties.InitiatingProcessIntegrityLevel |
additional.fields[initiating_process_integrity_level] |
|
properties.InitiatingProcessParentCreationTime |
additional.fields[initiating_process_parent_creation_time] |
|
properties.AppGuardContainerId |
additional.fields[app_guard_container_id] |
|
properties.InitiatingProcessVersionInfoCompanyName |
principal.process.file.exif_info.company |
|
properties.InitiatingProcessVersionInfoFileDescription |
principal.process.file.exif_info.file_description |
|
properties.InitiatingProcessVersionInfoInternalFileName |
additional.fields[initiating_process_version_info_internal_file_name] |
|
properties.InitiatingProcessVersionInfoOriginalFileName |
principal.process.file.exif_info.original_file |
|
properties.InitiatingProcessVersionInfoProductName |
principal.process.file.exif_info.product |
|
properties.InitiatingProcessVersionInfoProductVersion |
additional.fields[initiating_process_version_info_product_version] |
|
properties.RegistryValueType |
additional.fields[registry_value_type] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGatheringKB
La tabella seguente elenca i campi dei log per il tipo di logDeviceTvmInfoGatheringKB e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Description |
metadata.description |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.IgId |
metadata.product_log_id |
|
properties.Categories |
principal.resource.attribute.labels[categories] |
|
properties.DataStructure |
principal.resource.attribute.labels[data_structure] |
|
properties.FieldName |
principal.resource.name |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessment
La tabella seguente elenca i campi dei log per il tipo di logDeviceTvmSecureConfigurationAssessment e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_UNCATEGORIZED. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.OSPlatform |
principal.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the prinipal.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
properties.DeviceName |
principal.hostname |
|
properties.ConfigurationCategory |
principal.resource.attribute.labels[configuration_category] |
|
properties.ConfigurationImpact |
principal.resource.attribute.labels[configuration_impact] |
|
properties.Context |
principal.resource.attribute.labels[contex] |
|
properties.IsApplicable |
principal.resource.attribute.labels[is_applicable] |
|
properties.IsCompliant |
principal.resource.attribute.labels[is_compliant] |
|
properties.IsExpectedUserImpact |
principal.resource.attribute.labels[is_expected_user_impact] |
|
properties.ConfigurationId |
principal.resource.product_object_id |
|
properties.ConfigurationSubcategory |
principal.resource.resource_subtype |
|
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to ACCESS_POLICY. |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessmentKB
La tabella seguente elenca i campi dei log per il tipo di logDeviceTvmSecureConfigurationAssessmentKB e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.ConfigurationBenchmarks |
principal.resource.attribute.labels[configuration_benchmarks] |
|
properties.ConfigurationCategory |
principal.resource.attribute.labels[configuration_category] |
|
properties.ConfigurationDescription |
principal.resource.attribute.labels[configuration_description] |
|
properties.ConfigurationImpact |
principal.resource.attribute.labels[configuration_impact] |
|
properties.RemediationOptions |
principal.resource.attribute.labels[remediation_options] |
|
properties.RiskDescription |
principal.resource.attribute.labels[risk_description] |
|
properties.Tags |
principal.resource.attribute.labels[tags] |
|
properties.ConfigurationName |
principal.resource.name |
|
properties.ConfigurationId |
principal.resource.product_object_id |
|
properties.ConfigurationSubcategory |
principal.resource.resource_subtype |
|
|
principal.resource.resource_type |
The principal.resource.resource_type UDM field is set to ACCESS_POLICY. |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareEvidenceBeta
La tabella seguente elenca i campi dei log per il tipo di logDeviceTvmSoftwareEvidenceBeta e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.DiskPaths |
principal.asset.attribute.labels[disk_paths] |
The properties.DiskPaths log field is mapped to the principal.asset.attribute.labels.disk_paths UDM field. |
properties.RegistryPaths |
principal.asset.attribute.labels[registry_paths] |
The properties.RegistryPaths log field is mapped to the principal.asset.attribute.labels.registry_paths UDM field. |
properties.LastSeenTime |
principal.asset.last_discover_time |
|
properties.SoftwareName |
principal.asset.software.name |
|
properties.SoftwareVendor |
principal.asset.software.vendor_name |
|
properties.SoftwareVersion |
principal.asset.software.version |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareInventory
La tabella seguente elenca i campi dei log per il tipo di logDeviceTvmSoftwareInventory e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.EndOfSupportDate |
principal.asset.attribute.labels[end_of_support_date] |
|
properties.EndOfSupportStatus |
principal.asset.attribute.labels[end_of_support_status] |
|
properties.OSArchitecture |
principal.asset.attribute.labels[os_architecture] |
|
properties.ProductCodeCpe |
principal.asset.attribute.labels[product_code_cpe] |
|
properties.OSPlatform |
principal.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the prinipal.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
properties.OSVersion |
principal.asset.platform_software.platform_version |
|
properties.SoftwareName |
principal.asset.software.name |
|
properties.SoftwareVendor |
principal.asset.software.vendor_name |
|
properties.SoftwareVersion |
principal.asset.software.version |
|
properties.DeviceName |
principal.hostname |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilities
La tabella seguente elenca i campi dei log per il tipo di logDeviceTvmSoftwareVulnerabilities e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.CveId |
extensions.vulns.vulnerabilities.cve_id |
|
properties.VulnerabilityLevel |
extensions.vulns.vulnerabilities.severity |
If the properties.VulnerabilityLevel log field value is equal to High, then the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH.Else, if the properties.VulnerabilityLevel log field value is equal to Medium, then the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM.Else, if the properties.VulnerabilityLevel log field value is equal to Low, then the extensions.vulns.vulnerabilities.severity UDM field is set to LOW.Else, if the properties.VulnerabilityLevel log field value is equal to Informational, then the extensions.vulns.vulnerabilities.severity UDM field is set to INFORMATIONAL. |
properties.SeverityLevel |
extensions.vulns.vulnerablitities.severity_details |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_VULN_HOST. |
properties.DeviceId |
principal.asset_id |
The principal.asset_id is set to DeviceID:%{properties.DeviceId}. |
properties.OSPlatform |
principal.asset.platform_software.platform |
If the properties.OSPlatform log field value matches the regular expression pattern (?i)macos, then the principal.asset.platform_software.platform UDM field is set to MAC.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)windows, then the principal.asset.platform_software.platform UDM field is set to WINDOWS.Else, if the properties.OSPlatform log field value matches the regular expression pattern (?i)linux, then the principal.asset.platform_software.platform UDM field is set to LINUX. |
properties.OSVersion |
principal.asset.platform_software.platform_version |
|
properties.SoftwareName |
principal.asset.software.name |
|
properties.SoftwareVendor |
principal.asset.software.vendor_name |
|
properties.SoftwareVersion |
principal.asset.software.version |
|
properties.DeviceName |
principal.hostname |
|
properties.RecommendedSecurityUpdateId |
security_result.detection_fields[recommended_security_update_id] |
|
properties.RecommendedSecurityUpdate |
security_result.detection_fields[recommended_security_update] |
|
properties.CveTags |
additional.fields[cve_tags] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilitiesKB
La tabella seguente elenca i campi dei log per il tipo di logDeviceTvmSoftwareVulnerabilitiesKB e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT. |
properties.CveId |
extensions.vulns.vulnerabilities.cve_id |
|
properties.CvssScore |
extensions.vulns.vulnerablities.cvss_base_score |
|
properties.IsExploitAvailable |
extensions.vulns.vulnerablities.cvss_vector |
|
properties.VulnerabilitySeverityLevel |
extensions.vulns.vulnerabilities.severity |
If the properties.VulnerabilitySeverityLevel log field value is equal to High, then the extensions.vulns.vulnerabilities.severity UDM field is set to HIGH.Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Medium, then the extensions.vulns.vulnerabilities.severity UDM field is set to MEDIUM.Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Low, then the extensions.vulns.vulnerabilities.severity UDM field is set to LOW.Else, if the properties.VulnerabilitySeverityLevel log field value is equal to Informational, then the extensions.vulns.vulnerabilities.severity UDM field is set to INFORMATIONAL.Else, the extensions.vulns.vulnerabilities.severity UDM field is set to UNKNOWN_SEVERITY. |
properties.VulnerabilitySeverityLevel |
extensions.vulns.vulnerablitities.severity_details |
|
properties.LastModifiedTime |
extensions.vulns.vulnerabilities.scan_end_time |
|
properties.PublishedDate |
extensions.vulns.vulnerabilities.first_found |
|
properties.VulnerabilityDescription |
extensions.vulns.vulnerabilities.cve_description |
|
properties.AffectedSoftware |
extensions.vulns.vulnerabilities.description |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - EmailAttachmentInfo
La tabella seguente elenca i campi dei log per il tipo di logEmailAttachmentInfo e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.FileType |
target.file.mime_type |
|
properties.FileName |
target.file.names |
|
properties.SHA256 |
target.file.sha256 |
If the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$, then the properties.SHA256 log field is mapped to the target.file.sha256 UDM field. |
properties.FileSize |
target.file.size |
|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to EMAIL_TRANSACTION. |
properties.ReportId |
metadata.product_log_id |
|
properties.SenderFromAddress |
network.email.from |
If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the network.email.from UDM field. |
properties.NetworkMessageId |
network.email.mail_id |
|
properties.RecipientEmailAddress |
network.email.to |
If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the network.email.to UDM field. |
properties.SenderFromAddress |
principal.user.email_addresses |
If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the principal.user.email_addresses UDM field. |
properties.SenderObjectId |
principal.user.product_object_id |
|
properties.SenderDisplayName |
principal.user.user_display_name |
|
properties.ThreatTypes |
security_result.category |
If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING. |
properties.DetectionMethods |
security_result.detection_fields[detection_methods] |
|
properties.ThreatNames |
security_result.threat_name |
|
properties.RecipientEmailAddress |
target.user.email_addresses |
If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field. |
properties.RecipientObjectId |
target.user.product_object_id |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - EmailEvents
La tabella seguente elenca i campi dei log per il tipo di logEmailEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to EMAIL_TRANSACTION. |
properties.ReportId |
metadata.product_log_id |
|
properties.EmailDirection |
network.direction |
If the properties.EmailDirection log field value is equal to Inbound, then the network.direction UDM field is set to INBOUND.Else, if the properties.EmailDirection log field value is equal to Outbound, then the network.direction UDM field is set to OUTBOUND.Else, the network.direction UDM field is set to UNKNOWN_DIRECTION. |
properties.NetworkMessageId |
network.email.mail_id |
|
properties.Subject |
network.email.subject |
|
properties.RecipientEmailAddress |
network.email.to |
|
properties.SenderFromDomain |
principal.administrative_domain |
|
properties.SenderIPv4 |
principal.ip |
|
properties.SenderIPv6 |
principal.ip |
|
properties.SenderMailFromAddress |
principal.user.attribute.labels[sender_mail_from_address] |
|
properties.SenderFromAddress |
principal.user.email_addresses |
If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.SenderFromAddress log field is mapped to the principal.user.email_addresses UDM field. |
properties.SenderMailFromDomain |
principal.user.attribute.labels[sender_mail_from_domain] |
|
properties.SenderObjectId |
principal.user.product_object_id |
|
properties.SenderDisplayName |
principal.user.user_display_name |
|
properties.ThreatTypes |
security_result.category |
If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING. |
properties.ThreatTypes |
security_result.category_details |
|
properties.ConfidenceLevel |
security_result.confidence_details |
|
properties.EmailAction |
security_result.description |
|
properties.AuthenticationDetails |
security_result.detection_fields[authentication_details] |
|
properties.BulkComplaintLevel |
security_result.detection_fields[bulk_complaint_level] |
|
properties.DetectionMethods |
security_result.detection_fields[detection_methods] |
|
properties.EmailActionPolicyGuid |
security_result.rule_id |
|
properties.EmailActionPolicy |
security_result.rule_name |
|
properties.ThreatNames |
security_result.threat_name |
|
properties.OrgLevelAction |
security_result.rule_labels[org_level_action] |
|
properties.OrgLevelPolicy |
security_result.rule_labels[org_level_policy] |
|
properties.UserLevelAction |
security_result.rule_labels[user_level_action] |
|
properties.UserLevelPolicy |
security_result.rule_labels[user_level_policy] |
|
properties.RecipientEmailAddress |
target.user.email_addresses |
If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field. |
properties.RecipientObjectId |
target.user.product_object_id |
|
properties.AdditionalFields |
additional.fields[additional_fields] |
|
properties.DeliveryAction |
additional.fields[delivery_action] |
|
properties.DeliveryLocation |
additional.fields[delivery_location] |
The properties.DeliveryLocation log field is mapped to the additional.fields.delivery_location UDM field. |
properties.EmailClusterId |
additional.fields[email_cluster_id] |
|
properties.EmailLanguage |
additional.fields[email_language] |
|
properties.InternetMessageId |
additional.fields[internet_message_id] |
|
properties.LatestDeliveryLocation |
additional.fields[last_delivery_location] |
|
properties.UrlCount |
additional.fields[connectors] |
|
properties.Connectors |
additional.fields[attachment_count] |
|
properties.AttachmentCount |
additional.fields[latest_delivery_action] |
|
properties.LatestDeliveryAction |
additional.fields[latest_delivery_action] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - EmailPostDeliveryEvents
La tabella seguente elenca i campi dei log per il tipo di logEmailPostDeliveryEvents e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to EMAIL_UNCATEGORIZED. |
properties.ReportId |
security_result.detection_fields[report_id] |
|
properties.NetworkMessageId |
network.email.mail_id |
|
properties.ActionResult |
security_result.summary |
|
properties.ThreatTypes |
security_result.category |
If the properties.ThreatTypes log field value is equal to Phish, then the security_result.category UDM field is set to MAIL_PHISHING. |
properties.ThreatTypes |
security_result.category_details |
|
properties.ActionTrigger |
security_result.detection_fields[action_trigger] |
|
properties.DeliveryLocation |
security_result.detection_fields[delivery_location] |
|
properties.DetectionMethods |
security_result.detection_fields[detection_methods] |
|
properties.Action |
security_result.action_details |
|
properties.ActionType |
security_result.verdict_info.verdict_type |
If the properties.ActionType log field value is equal to Manual Remediation, then the security_result.verdict_info.verdict_type UDM field is set to ANALYST_VERDICT.Else, if the properties.ActionType log field contains one of the following values, then the security_result.verdict_info.verdict_type UDM field is set to PROVIDER_ML_VERDICT.
|
properties.RecipientEmailAddress |
target.user.email_addresses |
If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field. |
properties.InternetMessageId |
additional.fields[internet_message_id] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - EmailUrlInfo
La tabella seguente elenca i campi dei log per il tipo di logEmailUrlInfo e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.UrlDomain |
target.hostname |
|
properties.Url |
target.url |
|
properties.Timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to EMAIL_TRANSACTION. |
properties.ReportId |
metadata.product_log_id |
|
properties.NetworkMessageId |
network.email.mail_id |
|
properties.UrlLocation |
additional.fields[url_location] |
Riferimento alla mappatura dei campi: MICROSOFT DEFENDER ENDPOINT - IdentityInfo
La tabella seguente elenca i campi dei log per il tipo di logIdentityInfo e i relativi campi UDM:
| Log field | UDM mapping | Logic |
|---|---|---|
properties.SourceSystem |
entity.resource.parent |
|
properties.AccountDomain |
entity.administrative_domain |
|
properties.TenantId |
entity.resource.product_object_id |
|
properties.CreatedDateTime |
entity.user.attribute.creation_time |
|
properties.AccountUpn |
entity.user.attribute.labels[account_upn] |
|
properties.ChangeSource |
entity.user.attribute.labels[change_source] |
|
properties.CloudSid |
entity.user.attribute.labels[cloud_sid] |
|
properties.ReportId |
entity.user.attribute.labels[report_id] |
|
properties.SipProxyAddress |
entity.user.attribute.labels[sip_proxy_address] |
|
properties.SourceProvider |
entity.user.attribute.labels[source_provider] |
|
properties.Tags |
entity.user.attribute.labels[tags] |
|
properties.Type |
entity.user.attribute.role.name |
|
properties.DistinguishedName |
entity.user.attributes.labels[distinguished_name] |
|
properties.Department |
entity.user.department |
|
properties.EmailAddress |
entity.user.email_addresses |
If the properties.EmailAddress log field value matches the regular expression pattern ^.+@.+$, then the properties.EmailAddress log field is mapped to the entity.user.email_addresses UDM field. |
properties.GivenName |
entity.user.first_name |
|
properties.Surname |
entity.user.last_name |
|
properties.Manager |
entity.user.managers.user_display_name |
|
properties.City |
entity.user.personal_address.city |
|
properties.Country |
entity.user.personal_address.country_or_region |
|
properties.Address |
entity.user.personal_address.name |
|
properties.Phone |
entity.user.phone_numbers |
|
properties.AccountObjectId |
entity.user.product_object_id |
|
properties.AssignedRoles |
entity.user.role_description |
|
properties.JobTitle |
entity.user.title |
|
properties.IsAccountEnabled |
entity.user.user_authentication_status |
If the properties.IsAccountEnabled log field value is equal to 1, then the entity.user.user_authentication_status UDM field is set to ACTIVE.Else, the entity.user.user_authentication_status UDM field is set to SUSPENDED. |
properties.AccountDisplayName |
entity.user.user_display_name |
|
properties.AccountName |
entity.user.userid |
|
properties.OnPremSid |
entity.user.attribute.labels[on_prem_sid] |
|
properties.Timestamp |
metadata.creation_time |
|
|
metadata.entity_type |
The metadata.entity_type UDM field is set to USER. |
properties.AccountObjectId |
metadata.product_entity_id |