此页面由 Cloud Translation API 翻译。

收集 Microsoft Defender for Endpoint 日志

支持的平台：

Google SecOps SIEM

本文档介绍了如何通过设置 Google 安全运营 Feed 来收集 Microsoft Defender for Endpoint 日志，以及日志字段如何映射到 Google SecOps 统一数据模型 (UDM) 字段。

如需了解详情，请参阅将数据提取到 Google SecOps。

典型的部署包括 Microsoft Defender for Endpoint 和配置为将日志发送到 Google SecOps 的 Google SecOps Feed。您的部署可能与本文档中所述的典型部署不同。该部署包含以下组件：

Microsoft Defender for Endpoint：用于收集日志的平台。
Azure Storage：用于存储日志的平台。
Google SecOps Feed：Google SecOps Feed 会从 Microsoft Defender for Endpoint 提取日志，并将日志写入 Google SecOps。
Google SecOps：用于保留和分析 Microsoft Defender for Endpoint 日志的平台。

提取标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 MICROSOFT_DEFENDER_ENDPOINT 注入标签的解析器。

准备工作

将部署架构中的所有系统的时区设置为世界协调时间 (UTC)。
确保您符合使用 Microsoft Defender for Endpoint 的前提条件。如需了解详情，请参阅 Microsoft Defender XDR 前提条件。
确保您已设置 Microsoft Defender for Endpoint。
在租户中配置存储账号。

设置 Microsoft Defender for Endpoint

以全局管理员或安全管理员身份登录 security.microsoft.com。
在左侧窗格中，点击设置。
选择 Microsoft Defender XDR 标签页。
从“General”（常规）部分中选择 Streaming API，然后点击 Add（添加）。
选择将事件转发到 Azure Storage。
前往您选择的存储账号。
依次选择概览 > JSON 视图，然后输入资源 ID。
输入资源 ID 后，选择所有所需的数据类型。
点击保存。

在 Google SecOps 中配置 Feed 以提取 Microsoft Defender for Endpoint 日志

依次前往 SIEM 设置 > Feed。
点击新增。
在Feed 名称字段中，输入 Feed 的名称（例如 MS Defender 日志）。
选择 Microsoft Azure Blob Storage 作为来源类型。
选择 Microsoft Defender for Endpoint 作为日志类型。
点击下一步。
配置以下输入参数：
- Azure URI：指向 Azure Blob Storage 中某个 Blob 或容器的 URI。
- URI 是：URI 指示的对象类型。
- 源文件删除选项：确定是否要在转移后删除文件或目录。
- 选择共享密钥或 SAS 令牌。
- 密钥/令牌：用于访问 Azure 资源的共享密钥或 SAS 令牌。
点击下一步，然后点击提交。

如果您在提取 Microsoft Defender for Endpoint 日志时遇到问题，请与 Google SecOps 支持团队联系。

支持的 Microsoft Defender for Endpoint 日志类型

Microsoft Defender for Endpoint 解析器支持以下表格：

AlertEvidence
AlertInfo
DeviceAlertEvents
DeviceEvents
DeviceFileCertificateInfo
DeviceFileEvents
DeviceIdentityLogonEvents
DeviceImageLoadEvents
DeviceInfo
DeviceLogonEvents
DeviceNetworkEvents
DeviceNetworkInfo
DeviceProcessEvents
DeviceRegistryEvents
DeviceTvmInfoGathering
DeviceTvmInfoGatheringKB
DeviceTvmSecureConfigurationAssessment
DeviceTvmSecureConfigurationAssessmentKB
DeviceTvmSoftwareEvidenceBeta
DeviceTvmSoftwareInventory
DeviceTvmSoftwareVulnerabilities
DeviceTvmSoftwareVulnerabilitiesKB
EmailAttachmentInfo
EmailEvents
EmailPostDeliveryEvents
EmailUrlInfo
IdentityInfo

字段映射参考文档

本部分介绍 Google Security Operations 解析器如何将 Microsoft Defender for Endpoint 字段映射到 Google Security Operations UDM 字段。

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - UDM 事件模型的通用字段

下表列出了 MICROSOFT_DEFENDER_ENDPOINT 日志类型的常见日志字段及其对应的 UDM 字段：

Common log field	UDM mapping	Logic
`time`	`metadata.collected_timestamp`
`category`	`metadata.product_event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Microsoft Defender for Endpoint`.
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Microsoft`.
`Tenant`	`observer.resource_ancestors.name`
`tenantId`	`observer.resource_ancestors.product_object_id`
`operationName`	`additional.fields[operation_name]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - UDM 实体模型的通用字段

下表列出了 MICROSOFT_DEFENDER_ENDPOINT 日志类型的常见日志字段及其对应的 UDM 字段：

Common log field	UDM mapping	Logic
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Microsoft`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Microsoft Defender for Endpoint`.
`time`	`metadata.collected_timestamp`
`tenantId`	`relations.entity.resource.product_object_id`
`operationName`	`additional.fields[operation_name]`
`category`	`metadata.description`
`Tenant`	`relations.entity.resource.name`
	`relations.entity_type`	The `relations.entity_type` UDM field is set to `RESOURCE`.
	`relations.relationship`	The `relations.relationship` UDM field is set to `MEMBER`.
	`relations.direction`	The `relations.direction` UDM field is set to `UNIDIRECTIONAL`.

字段映射参考信息：DeviceEvents 事件标识符到事件类型

下表列出了 DeviceEvents 日志操作类型及其对应的 UDM 事件类型。

Event Identifier	Event Type
`UsbDriveDriveLetterChanged`	`DEVICE_CONFIG_UPDATE`
`AppControlAppInstallationAudited`	`SCAN_HOST`
`AsrExecutableOfficeContentAudited`	`SCAN_HOST`
`ShellLinkCreateFileEvent`	`FILE_CREATION`
`FileTimestampModificationEvent`	`FILE_MODIFICATION`
`PlistPropertyModified`	`FILE_MODIFICATION`
`SensitiveFileRead`	`FILE_READ`
`AsrUntrustedExecutableAudited`	`SCAN_HOST`
`AsrUntrustedExecutableBlocked`	`SCAN_HOST`
`DlpPocPrintJob`	`FILE_UNCATEGORIZED`
`RemovableStorageFileEvent`	`FILE_UNCATEGORIZED`
`DpapiAccessed`	`GENERIC_EVENT`
`ScreenshotTaken`	`GENERIC_EVENT`
`SecurityGroupCreated`	`GROUP_CREATION`
`SecurityGroupDeleted`	`GROUP_DELETION`
`UserAccountAddedToLocalGroup`	`GROUP_MODIFICATION`
`UserAccountRemovedFromLocalGroup`	`GROUP_MODIFICATION`
`ExploitGuardNetworkProtectionAudited`	`SCAN_HOST`
`ExploitGuardNetworkProtectionBlocked`	`SCAN_HOST`
`FirewallInboundConnectionBlocked`	`NETWORK_CONNECTION`
`FirewallInboundConnectionToAppBlocked`	`NETWORK_CONNECTION`
`FirewallOutboundConnectionBlocked`	`NETWORK_CONNECTION`
`RemoteDesktopConnection`	`NETWORK_CONNECTION`
`RemoteWmiOperation`	`NETWORK_CONNECTION`
`UntrustedWifiConnection`	`NETWORK_CONNECTION`
`DnsQueryRequest`	`NETWORK_DNS`
`DnsQueryResponse`	`NETWORK_DNS`
`NetworkShareObjectAdded`	`NETWORK_UNCATEGORIZED`
`AppGuardBrowseToUrl`	`SCAN_HOST`
`BrowserLaunchedToOpenUrl`	`NETWORK_UNCATEGORIZED`
`NetworkProtectionUserBypassEvent`	`NETWORK_UNCATEGORIZED`
`NetworkShareObjectAccessChecked`	`NETWORK_UNCATEGORIZED`
`NetworkShareObjectDeleted`	`NETWORK_UNCATEGORIZED`
`NetworkShareObjectModified`	`NETWORK_UNCATEGORIZED`
`AsrOfficeProcessInjectionAudited`	`SCAN_HOST`
`AppGuardCreateContainer`	`SCAN_HOST`
`AppGuardLaunchedWithUrl`	`SCAN_HOST`
`AsrAdobeReaderChildProcessAudited`	`SCAN_HOST`
`AsrAdobeReaderChildProcessBlocked`	`SCAN_HOST`
`AsrExecutableEmailContentAudited`	`SCAN_HOST`
`AsrOfficeChildProcessAudited`	`SCAN_HOST`
`AsrOfficeCommAppChildProcessAudited`	`SCAN_HOST`
`AsrPsexecWmiChildProcessAudited`	`SCAN_HOST`
`AsrScriptExecutableDownloadAudited`	`SCAN_HOST`
`AsrUntrustedUsbProcessAudited`	`SCAN_HOST`
`ExploitGuardChildProcessAudited`	`SCAN_HOST`
`ExploitGuardLowIntegrityImageAudited`	`SCAN_HOST`
`PowerShellCommand`	`PROCESS_LAUNCH`
`ProcessCreatedUsingWmiQuery`	`PROCESS_LAUNCH`
`QueueUserApcRemoteApiCall`	`PROCESS_LAUNCH`
`GetClipboardData`	`STATUS_UPDATE`
`OpenProcessApiCall`	`PROCESS_OPEN`
`ScriptContent`	`PROCESS_LAUNCH`
`AppControlAppInstallationBlocked`	`SCAN_HOST`
`AppGuardSuspendContainer`	`SCAN_HOST`
`AppGuardStopContainer`	`SCAN_HOST`
`AppLockerBlockExecutable`	`PROCESS_UNCATEGORIZED`
`AsrObfuscatedScriptAudited`	`SCAN_HOST`
`AsrObfuscatedScriptBlocked`	`SCAN_HOST`
`AsrOfficeChildProcessBlocked`	`SCAN_HOST`
`AsrOfficeProcessInjectionBlocked`	`SCAN_HOST`
`AsrPsexecWmiChildProcessBlocked`	`SCAN_HOST`
`AsrScriptExecutableDownloadBlocked`	`SCAN_HOST`
`AsrUntrustedUsbProcessBlocked`	`SCAN_HOST`
`ExploitGuardChildProcessBlocked`	`SCAN_HOST`
`ExploitGuardLowIntegrityImageBlocked`	`SCAN_HOST`
`ExploitGuardSharedBinaryAudited`	`SCAN_HOST`
`ExploitGuardSharedBinaryBlocked`	`SCAN_HOST`
`MemoryRemoteProtect`	`PROCESS_UNCATEGORIZED`
`NamedPipeEvent`	`PROCESS_UNCATEGORIZED`
`NtAllocateVirtualMemoryApiCall`	`PROCESS_UNCATEGORIZED`
`NtAllocateVirtualMemoryRemoteApiCall`	`PROCESS_UNCATEGORIZED`
`NtMapViewOfSectionRemoteApiCall`	`PROCESS_UNCATEGORIZED`
`NtProtectVirtualMemoryApiCall`	`PROCESS_UNCATEGORIZED`
`ProcessPrimaryTokenModified`	`PROCESS_UNCATEGORIZED`
`PTraceDetected`	`PROCESS_UNCATEGORIZED`
`ReadProcessMemoryApiCall`	`PROCESS_UNCATEGORIZED`
`SetThreadContextRemoteApiCall`	`PROCESS_UNCATEGORIZED`
`WriteProcessMemoryApiCall`	`PROCESS_UNCATEGORIZED`
`WriteToLsassProcessMemory`	`PROCESS_UNCATEGORIZED`
`AsrOfficeCommAppChildProcessBlocked`	`SCAN_HOST`
`AppControlCIScriptAudited`	`SCAN_HOST`
`AppControlCIScriptBlocked`	`SCAN_HOST`
`AppControlCodeIntegrityImageAudited`	`SCAN_HOST`
`AppControlCodeIntegrityImageRevoked`	`SCAN_HOST`
`AppControlCodeIntegrityOriginAllowed`	`SCAN_HOST`
`AppControlCodeIntegrityOriginAudited`	`SCAN_HOST`
`AppControlCodeIntegrityOriginBlocked`	`SCAN_HOST`
`AppControlScriptAudited`	`SCAN_HOST`
`AppControlScriptBlocked`	`SCAN_HOST`
`AsrExecutableEmailContentBlocked`	`SCAN_HOST`
`SafeDocFileScan`	`SCAN_FILE`
`AntivirusDefinitionsUpdated`	`SCAN_HOST`
`AntivirusDefinitionsUpdateFailed`	`SCAN_HOST`
`AntivirusDetection`	`SCAN_HOST`
`AntivirusDetectionActionType`	`SCAN_HOST`
`AntivirusEmergencyUpdatesInstalled`	`SCAN_HOST`
`AntivirusError`	`SCAN_HOST`
`AntivirusMalwareActionFailed`	`SCAN_HOST`
`AntivirusMalwareBlocked`	`SCAN_HOST`
`AntivirusReport`	`SCAN_HOST`
`AntivirusScanCancelled`	`SCAN_HOST`
`AntivirusScanCompleted`	`SCAN_HOST`
`AntivirusScanFailed`	`SCAN_HOST`
`AntivirusTroubleshootModeEvent`	`SCAN_HOST`
`AppControlCodeIntegrityDriverRevoked`	`SCAN_HOST`
`AppControlCodeIntegrityPolicyAudited`	`SCAN_HOST`
`AppControlCodeIntegrityPolicyBlocked`	`SCAN_HOST`
`AppControlCodeIntegrityPolicyLoaded`	`SCAN_HOST`
`AppControlCodeIntegritySigningInformation`	`SCAN_HOST`
`AppControlExecutableAudited`	`SCAN_HOST`
`AppControlExecutableBlocked`	`SCAN_HOST`
`AppControlPackagedAppAudited`	`SCAN_HOST`
`AppControlPackagedAppBlocked`	`SCAN_HOST`
`AccountCheckedForBlankPassword`	`SCAN_UNCATEGORIZED`
`SmartScreenAppWarning`	`SCAN_UNCATEGORIZED`
`SmartScreenExploitWarning`	`SCAN_HOST`
`SmartScreenUrlWarning`	`SCAN_UNCATEGORIZED`
`SmartScreenUserOverride`	`SCAN_UNCATEGORIZED`
`ScheduledTaskCreated`	`SCHEDULED_TASK_CREATION`
`ScheduledTaskDeleted`	`SCHEDULED_TASK_DELETION`
`ScheduledTaskDisabled`	`SCHEDULED_TASK_DISABLE`
`ScheduledTaskEnabled`	`SCHEDULED_TASK_ENABLE`
`ScheduledTaskUpdated`	`SCHEDULED_TASK_MODIFICATION`
`ServiceInstalled`	`SERVICE_CREATION`
`DirectoryServiceObjectCreated`	`SERVICE_MODIFICATION`
`DirectoryServiceObjectModified`	`SERVICE_MODIFICATION`
`AuditPolicyModification`	`SERVICE_MODIFICATION`
`CreateRemoteThreadApiCall`	`PROCESS_UNCATEGORIZED`
`CredentialsBackup`	`SERVICE_START`
`FirewallServiceStopped`	`SERVICE_STOP`
`BitLockerAuditCompleted`	`SERVICE_UNSPECIFIED`
`AppControlPolicyApplied`	`SCAN_HOST`
`AppGuardResumeContainer`	`SCAN_HOST`
`AppLockerBlockPackagedApp`	`STATUS_UPDATE`
`AppLockerBlockPackagedAppInstallation`	`STATUS_UPDATE`
`AppLockerBlockScript`	`STATUS_UPDATE`
`AsrExecutableOfficeContentBlocked`	`SCAN_HOST`
`AsrLsassCredentialTheftAudited`	`SCAN_HOST`
`AsrLsassCredentialTheftBlocked`	`SCAN_HOST`
`AsrOfficeMacroWin32ApiCallsAudited`	`SCAN_HOST`
`AsrOfficeMacroWin32ApiCallsBlocked`	`SCAN_HOST`
`AsrPersistenceThroughWmiAudited`	`SCAN_HOST`
`AsrPersistenceThroughWmiBlocked`	`SCAN_HOST`
`AsrRansomwareAudited`	`SCAN_HOST`
`AsrRansomwareBlocked`	`SCAN_HOST`
`AsrVulnerableSignedDriverAudited`	`SCAN_HOST`
`AsrVulnerableSignedDriverBlocked`	`SCAN_HOST`
`BluetoothPolicyTriggered`	`STATUS_UPDATE`
`ClrUnbackedModuleLoaded`	`PROCESS_MODULE_LOAD`
`ControlFlowGuardViolation`	`STATUS_UPDATE`
`DeviceBootAttestationInfo`	`STATUS_UPDATE`
`DriverLoad`	`PROCESS_MODULE_LOAD`
`ExploitGuardEafViolationAudited`	`SCAN_HOST`
`ExploitGuardEafViolationBlocked`	`SCAN_HOST`
`ExploitGuardIafViolationAudited`	`SCAN_HOST`
`ExploitGuardIafViolationBlocked`	`SCAN_HOST`
`ExploitGuardNonMicrosoftSignedAudited`	`SCAN_HOST`
`ExploitGuardNonMicrosoftSignedBlocked`	`SCAN_HOST`
`ExploitGuardRopExploitAudited`	`SCAN_HOST`
`ExploitGuardRopExploitBlocked`	`SCAN_HOST`
`ExploitGuardWin32SystemCallAudited`	`SCAN_HOST`
`ExploitGuardWin32SystemCallBlocked`	`SCAN_HOST`
`GetAsyncKeyStateApiCall`	`STATUS_UPDATE`
`OtherAlertRelatedActivity`	`STATUS_UPDATE`
`PnpDeviceAllowed`	`DEVICE_CONFIG_UPDATE`
`PnpDeviceBlocked`	`STATUS_UPDATE`
`PnpDeviceConnected`	`STATUS_UPDATE`
`PrintJobBlocked`	`STATUS_UPDATE`
`RemovableStoragePolicyTriggered`	`STATUS_UPDATE`
`SecurityLogCleared`	`SYSTEM_AUDIT_LOG_WIPE`
`TvmAxonTelemetryEvent`	`STATUS_UPDATE`
`UsbDriveMount`	`DEVICE_CONFIG_UPDATE`
`UsbDriveMounted`	`DEVICE_CONFIG_UPDATE`
`UsbDriveUnmount`	`DEVICE_CONFIG_UPDATE`
`UsbDriveUnmounted`	`DEVICE_CONFIG_UPDATE`
`WmiBindEventFilterToConsumer`	`STATUS_UPDATE`
`TamperingAttempt`	`SETTING_MODIFICATION`
`PasswordChangeAttempt`	`USER_CHANGE_PASSWORD`
`LogonRightsSettingEnabled`	`USER_CHANGE_PERMISSIONS`
`UserAccountCreated`	`USER_CREATION`
`UserAccountDeleted`	`USER_DELETION`
`LdapSearch`	`STATUS_UPDATE`
`ControlledFolderAccessViolationAudited`	`SCAN_FILE`
`ControlledFolderAccessViolationBlocked`	`SCAN_FILE`
`ExploitGuardAcgAudited`	`SCAN_HOST`
`ExploitGuardAcgEnforced`	`SCAN_HOST`
`UserAccountModified`	`USER_UNCATEGORIZED`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceEvents

下表列出了 DeviceEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
`properties.ActionType`	`metadata.event_type`
`properties.ReportId`	`metadata.product_log_id`
`properties.LogonId`	`network.session_id`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`	If the `properties.ActionType` log field contains one of the following values, and the `properties.InitiatingProcessAccountDomain` log field value is not empty, then the `properties.InitiatingProcessAccountDomain` log field is mapped to the `target.administrative_domain` UDM field. `PasswordChangeAttempt` `UserAccountCreated` `UserAccountDeleted` Else, if the `properties.InitiatingProcessAccountDomain` log field value is not empty, then the `properties.InitiatingProcessAccountDomain` log field is mapped to the `principal.administrative_domain` UDM field.
`properties.AccountDomain`	`principal.administrative_domain`	If the `properties.ActionType` log field contains one of the following values, and the `properties.InitiatingProcessAccountDomain` log field value is empty, then the `properties.AccountDomain` log field is mapped to the `target.administrative_domain` UDM field. `PasswordChangeAttempt` `UserAccountCreated` `UserAccountDeleted` Else, if the `properties.InitiatingProcessAccountDomain` log field value is empty, then the `properties.AccountDomain` log field is mapped to the `principal.administrative_domain` UDM field.
`properties.DeviceName`	`principal.hostname`
`properties.LocalIP`	`principal.ip`
`properties.FileOriginIP`	`principal.ip`
`properties.LocalPort`	`principal.port`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}`.
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.FileOriginUrl`	`principal.url`
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`	If the `properties.ActionType` log field contains one of the following values, and the `properties.InitiatingProcessAccountName` log field value is not empty, then the `properties.InitiatingProcessAccountName` log field is mapped to the `target.user.userid` UDM field. `PasswordChangeAttempt` `UserAccountCreated` `UserAccountDeleted` Else, if the `properties.InitiatingProcessAccountName` log field value is not empty, then the `properties.InitiatingProcessAccountName` log field is mapped to the `principal.user.userid` UDM field.
`properties.AccountName`	`principal.user.userid`	If the `properties.ActionType` log field contains one of the following values, and the `properties.InitiatingProcessAccountName` log field value is empty, then the `properties.AccountName` log field is mapped to the `target.user.userid` UDM field. `PasswordChangeAttempt` `UserAccountCreated` `UserAccountDeleted` Else, if the `properties.InitiatingProcessAccountName` log field value is empty, then the `properties.AccountName` log field is mapped to the `principal.user.userid` UDM field.
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`	If the `properties.ActionType` log field contains one of the following values, and the `properties.InitiatingProcessAccountSid` log field value is not empty, then the `properties.InitiatingProcessAccountSid` log field is mapped to the `target.user.windows_sid` UDM field. `PasswordChangeAttempt` `UserAccountCreated` `UserAccountDeleted` Else, if the `properties.InitiatingProcessAccountSid` log field value is not empty, then the `properties.InitiatingProcessAccountSid` log field is mapped to the `principal.user.windows_sid` UDM field.
`properties.AccountSid`	`principal.user.windows_sid`	If the `properties.ActionType` log field contains one of the following values, and the `properties.InitiatingProcessAccountSid` log field value is empty, then the `properties.AccountSid` log field is mapped to the `target.user.windows_sid` UDM field. `PasswordChangeAttempt` `UserAccountCreated` `UserAccountDeleted` Else, if the `properties.InitiatingProcessAccountSid` log field value is empty, then the `properties.AccountSid` log field is mapped to the `principal.user.windows_sid` UDM field.
`properties.ActionType`	`security_result.action`	If the `properties.ActionType` log field value matches the regular expression pattern `(?i)Allow`, then the `security_result.action` UDM field is set to `ALLOW`. Else if the `properties.ActionType` log field value matches the regular expression pattern `(?i)Block`, then the `security_result.action` UDM field is set to `BLOCK`. Else if the `properties.ActionType` log field value matches the regular expression pattern `(?i)Fail`, then the `security_result.action` UDM field is set to `FAIL`.
`properties.FolderPath`	`target.file.full_path`	If the `properties.RemoteDeviceName` log field value contain one of the following values `ProcessCreatedUsingWmiQuery` `OpenProcessApiCall` `MemoryRemoteProtect` `NtAllocateVirtualMemoryApiCall` `NtAllocateVirtualMemoryRemoteApiCall` `NtMapViewOfSectionRemoteApiCall` `NtProtectVirtualMemoryApiCall` `ProcessPrimaryTokenModified` `ReadProcessMemoryApiCall` `SetThreadContextRemoteApiCall` `WriteProcessMemoryApiCall` `WriteToLsassProcessMemory` `CreateRemoteThreadApiCall` `AsrOfficeProcessInjectionAudited` `AsrAdobeReaderChildProcessAudited` `AsrAdobeReaderChildProcessBlocked` `AsrOfficeChildProcessAudited` `AsrOfficeCommAppChildProcessAudited` `AsrPsexecWmiChildProcessAudited` `AsrUntrustedUsbProcessAudited` `ExploitGuardChildProcessAudited` `AsrOfficeChildProcessBlocked` `AsrOfficeProcessInjectionBlocked` `AsrPsexecWmiChildProcessBlocked` `AsrUntrustedUsbProcessBlocked` `ExploitGuardChildProcessBlocked` `AsrOfficeCommAppChildProcessBlocked` and if the `properties.FolderPath` log field value matches the regular expression pattern `the properties.FileName log field value` then, `properties.FolderPath` log field is mapped to the `target.process.file.full_path` UDM field. Else, `%{properties.FolderPath}\%{properties.FileName}` log field is mapped to the `target.process.file.full_path` UDM field. Else, if the `properties.FolderPath` log field value matches the regular expression pattern `the properties.FileName log field value` then, `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, `%{properties.FolderPath}\%{properties.FileName}` log field is mapped to the `target.file.full_path` UDM field.
`properties.MD5`	`target.file.md5`	If the `properties.RemoteDeviceName` log field value contain one of the following values `ProcessCreatedUsingWmiQuery` `OpenProcessApiCall` `MemoryRemoteProtect` `NtAllocateVirtualMemoryApiCall` `NtAllocateVirtualMemoryRemoteApiCall` `NtMapViewOfSectionRemoteApiCall` `NtProtectVirtualMemoryApiCall` `ProcessPrimaryTokenModified` `ReadProcessMemoryApiCall` `SetThreadContextRemoteApiCall` `WriteProcessMemoryApiCall` `WriteToLsassProcessMemory` `CreateRemoteThreadApiCall` `AsrOfficeProcessInjectionAudited` `AsrAdobeReaderChildProcessAudited` `AsrAdobeReaderChildProcessBlocked` `AsrOfficeChildProcessAudited` `AsrOfficeCommAppChildProcessAudited` `AsrPsexecWmiChildProcessAudited` `AsrUntrustedUsbProcessAudited` `ExploitGuardChildProcessAudited` `AsrOfficeChildProcessBlocked` `AsrOfficeProcessInjectionBlocked` `AsrPsexecWmiChildProcessBlocked` `AsrUntrustedUsbProcessBlocked` `ExploitGuardChildProcessBlocked` `AsrOfficeCommAppChildProcessBlocked` and if the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` then, `properties.MD5` log field is mapped to the `target.process.file.md5` UDM field. Else, if the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` then, `properties.MD5` log field is mapped to the `target.file.md5` UDM field.
`properties.FileName`	`target.file.names`	If the `properties.RemoteDeviceName` log field value contain one of the following values `ProcessCreatedUsingWmiQuery` `OpenProcessApiCall` `MemoryRemoteProtect` `NtAllocateVirtualMemoryApiCall` `NtAllocateVirtualMemoryRemoteApiCall` `NtMapViewOfSectionRemoteApiCall` `NtProtectVirtualMemoryApiCall` `ProcessPrimaryTokenModified` `ReadProcessMemoryApiCall` `SetThreadContextRemoteApiCall` `WriteProcessMemoryApiCall` `WriteToLsassProcessMemory` `CreateRemoteThreadApiCall` `AsrOfficeProcessInjectionAudited` `AsrAdobeReaderChildProcessAudited` `AsrAdobeReaderChildProcessBlocked` `AsrOfficeChildProcessAudited` `AsrOfficeCommAppChildProcessAudited` `AsrPsexecWmiChildProcessAudited` `AsrUntrustedUsbProcessAudited` `ExploitGuardChildProcessAudited` `AsrOfficeChildProcessBlocked` `AsrOfficeProcessInjectionBlocked` `AsrPsexecWmiChildProcessBlocked` `AsrUntrustedUsbProcessBlocked` `ExploitGuardChildProcessBlocked` `AsrOfficeCommAppChildProcessBlocked` and if the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` then, `properties.FileName` log field is mapped to the `target.process.file.names` UDM field. Else, if the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` then, `properties.FileName` log field is mapped to the `target.file.names` UDM field.
`properties.SHA1`	`target.file.sha1`	If the `properties.RemoteDeviceName` log field value contain one of the following values `ProcessCreatedUsingWmiQuery` `OpenProcessApiCall` `MemoryRemoteProtect` `NtAllocateVirtualMemoryApiCall` `NtAllocateVirtualMemoryRemoteApiCall` `NtMapViewOfSectionRemoteApiCall` `NtProtectVirtualMemoryApiCall` `ProcessPrimaryTokenModified` `ReadProcessMemoryApiCall` `SetThreadContextRemoteApiCall` `WriteProcessMemoryApiCall` `WriteToLsassProcessMemory` `CreateRemoteThreadApiCall` `AsrOfficeProcessInjectionAudited` `AsrAdobeReaderChildProcessAudited` `AsrAdobeReaderChildProcessBlocked` `AsrOfficeChildProcessAudited` `AsrOfficeCommAppChildProcessAudited` `AsrPsexecWmiChildProcessAudited` `AsrUntrustedUsbProcessAudited` `ExploitGuardChildProcessAudited` `AsrOfficeChildProcessBlocked` `AsrOfficeProcessInjectionBlocked` `AsrPsexecWmiChildProcessBlocked` `AsrUntrustedUsbProcessBlocked` `ExploitGuardChildProcessBlocked` `AsrOfficeCommAppChildProcessBlocked` and if the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` then, `properties.SHA1` log field is mapped to the `target.process.file.sha1` UDM field. Else, if the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` then, `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.file.sha256`	If the `properties.RemoteDeviceName` log field value contain one of the following values `ProcessCreatedUsingWmiQuery` `OpenProcessApiCall` `MemoryRemoteProtect` `NtAllocateVirtualMemoryApiCall` `NtAllocateVirtualMemoryRemoteApiCall` `NtMapViewOfSectionRemoteApiCall` `NtProtectVirtualMemoryApiCall` `ProcessPrimaryTokenModified` `ReadProcessMemoryApiCall` `SetThreadContextRemoteApiCall` `WriteProcessMemoryApiCall` `WriteToLsassProcessMemory` `CreateRemoteThreadApiCall` `AsrOfficeProcessInjectionAudited` `AsrAdobeReaderChildProcessAudited` `AsrAdobeReaderChildProcessBlocked` `AsrOfficeChildProcessAudited` `AsrOfficeCommAppChildProcessAudited` `AsrPsexecWmiChildProcessAudited` `AsrUntrustedUsbProcessAudited` `ExploitGuardChildProcessAudited` `AsrOfficeChildProcessBlocked` `AsrOfficeProcessInjectionBlocked` `AsrPsexecWmiChildProcessBlocked` `AsrUntrustedUsbProcessBlocked` `ExploitGuardChildProcessBlocked` `AsrOfficeCommAppChildProcessBlocked` and if the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` then, `properties.SHA256` log field is mapped to the `target.process.file.sha256` UDM field. Else, if the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` then, `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`	If the `properties.RemoteDeviceName` log field value contain one of the following values `ProcessCreatedUsingWmiQuery` `OpenProcessApiCall` `MemoryRemoteProtect` `NtAllocateVirtualMemoryApiCall` `NtAllocateVirtualMemoryRemoteApiCall` `NtMapViewOfSectionRemoteApiCall` `NtProtectVirtualMemoryApiCall` `ProcessPrimaryTokenModified` `ReadProcessMemoryApiCall` `SetThreadContextRemoteApiCall` `WriteProcessMemoryApiCall` `WriteToLsassProcessMemory` `CreateRemoteThreadApiCall` `AsrOfficeProcessInjectionAudited` `AsrAdobeReaderChildProcessAudited` `AsrAdobeReaderChildProcessBlocked` `AsrOfficeChildProcessAudited` `AsrOfficeCommAppChildProcessAudited` `AsrPsexecWmiChildProcessAudited` `AsrUntrustedUsbProcessAudited` `ExploitGuardChildProcessAudited` `AsrOfficeChildProcessBlocked` `AsrOfficeProcessInjectionBlocked` `AsrPsexecWmiChildProcessBlocked` `AsrUntrustedUsbProcessBlocked` `ExploitGuardChildProcessBlocked` `AsrOfficeCommAppChildProcessBlocked` and if the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` then, `properties.FileSize` log field is mapped to the `target.process.file.size` UDM field. Else, if the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` then, `properties.FileSize` log field is mapped to the `target.file.size` UDM field.
`properties.RemoteDeviceName`	`target.hostname`
`properties.RemoteIP`	`target.ip`
`properties.RemotePort`	`target.port`
`properties.ProcessCommandLine`	`target.process.command_line`
`properties.ProcessId`	`target.process.pid`
`properties.ProcessTokenElevation`	`target.process.token_elevation_type`	If the `properties.ProcessTokenElevation` log field value is equal to `TokenElevationTypeFull`, then the `target.process.token_elevation_type` UDM field is set to `TYPE_1`. Else, if the `properties.ProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault`, then the `target.process.token_elevation_type` UDM field is set to `TYPE_2`. Else, if the `properties.ProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited`, then the `target.process.token_elevation_type` UDM field is set to `TYPE_3`.
`properties.RegistryKey`	`target.registry.registry_key`
`properties.RegistryValueData`	`target.registry.registry_value_data`
`properties.RegistryValueName`	`target.registry.registry_value_name`
`properties.RemoteUrl`	`target.url`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessLogonId`	`additional.fields[initiating_process_logon_id]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.ProcessCreationTime`	`additional.fields[process_creation_time]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[process_version_info_product_version]`

字段映射参考：MICROSOFT DEFENDER ENDPOINT - AlertEvidence

下表列出了 AlertEvidence 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Application`	`additional.fields[application]`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_HOST`.
`properties.DeviceId`	`principal.asset_id`	If the `properties.DeviceId` log field value is not empty, then the `DeviceID:properties.DeviceId` log field is mapped to the `principal.asset_id` UDM field.
`properties.DeviceName`	`principal.hostname`	If the `properties.DeviceName` log field value is not empty then, `properties.DeviceName` log field is mapped to the `principal.hostname` UDM field. Else, if the `properties.AdditionalFields.HostName` log field value is not empty then, `properties.AdditionalFields.HostName` log field is mapped to the `principal.hostname` UDM field. Else, if the `properties.AdditionalFields.Host.HostName` log field value is not empty then, `properties.AdditionalFields.Host.HostName` log field is mapped to the `principal.hostname` UDM field. Else, if the `properties.AdditionalFields.ImageFile.Host.HostName` log field value is not empty then, `AdditionalFields.ImageFile.Host.HostName` log field is mapped to the `principal.hostname` UDM field.
`properties.LocalIP`	`principal.asset.ip`	If the `properties.LocalIP` log field value is not empty, then the `properties.LocalIP` log field is mapped to the `principal.asset.ip` UDM field.
`properties.FolderPath`	`target.file.full_path`	If the `properties.FileName` log field value matches the regular expression pattern the `properties.FolderPath`, then the `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, the `properties.FolderPath/properties.FileName` log field is mapped to the `target.file.full_path` UDM field.
`properties.FileName`	`target.file.names`
`properties.SHA1`	`target.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^the 0-9a-f log field value+$`, then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^the a-f0-9, then 64$`, then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`
`properties.AccountDomain`	`principal.administrative_domain`
`properties.RemoteIP`	`target.ip`
`properties.AdditionalFields`	`additional.fields[additionalfields]`
`properties.ProcessCommandLine`	`target.process.command_line`
`properties.RegistryKey`	`target.registry.registry_key`
`properties.RegistryValueData`	`target.registry.registry_value_data`
`properties.RegistryValueName`	`target.registry.registry_value_name`
`properties.CloudPlatform`	`principal.resource.attribute.cloud.environment`	If the `properties.CloudPlatform` log field value matches the regular expression pattern `/(?i)Amazon Web Services/`, then the `principal.resource.attribute.cloud.environment` UDM field is set to `AMAZON_WEB_SERVICES`. Else, if the `properties.CloudPlatform` log field value matches the regular expression pattern `/(?i)Google Cloud Platform/`, then the `principal.resource.attribute.cloud.environment` UDM field is set to `GOOGLE_CLOUD_PLATFORM`. Else, if the `properties.CloudPlatform` log field value matches the regular expression pattern `/(?i)Azure/`, then the `principal.resource.attribute.cloud.environment` UDM field is set to `MICROSOFT_AZURE`. Else, the `principal.resource.attribute.cloud.environment` UDM field is set to `UNSPECIFIED_CLOUD_ENVIRONMENT`.
`properties.SubscriptionId`	`principal.resource.attribute.labels[subscription_id]`
`properties.CloudResource`	`principal.resource.name`
`properties.ResourceID`	`principal.resource.product_object_id`
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `CLOUD_PROJECT`.
`properties.Categories`	`security_result.category_details`
`properties.Severity`	`security_result.severity`
`properties.Title`	`security_result.summary`
`properties.Title`	`security_result.threat_name`
`properties.Title`	`security_result.rule_name`
`properties.ThreatFamily`	`security_result.detection_fields[threat_family]`
`properties.RemoteUrl`	`target.url`
`properties.EvidenceDirection`	`principal.user.attribute.labels[evidence_direction]`
`properties.EvidenceRole`	`principal.user.attribute.labels[evidence_role]`
`properties.AccountObjectId`	`additional.fields[account_object_id]`
`properties.AccountUpn`	`principal.user.user_display_name`
`properties.AccountName`	`principal.user.userid`
`properties.AccountSid`	`principal.user.windows_sid`
`properties.Timestamp`	`metadata.event_timestamp`
`properties.EntityType`	`principal.resource.resource_subtype`
`properties.AlertId`	`metadata.product_log_id`
`properties.DetectionSource`	`security_result.about.resource.attribute.labels[detection_source]`
`properties.ServiceSource`	`security_result.about.resource.attribute.labels[service_source]`
`properties.AttackTechniques`	`security_result.attack_details.techniques.name`
`properties.ApplicationId`	`additional.fields[application_id]`
`properties.EmailSubject`	`network.email.subject`
`properties.NetworkMessageId`	`network.email.mail_id`
`properties.OAuthApplicationId`	`additional.fields[oauth_application_id]`

字段映射参考：MICROSOFT DEFENDER ENDPOINT - AlertInfo

下表列出了 AlertInfo 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
	`is_alert`	The `is_alert` UDM field is set to `true`.
	`is_significant`	The `is_significant` UDM field is set to `true`.
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
`properties.AlertId`	`metadata.product_log_id`
`properties.AttackTechniques`	`security_result.attack_details.techniques.name`
`properties.DetectionSource`	`security_result.detection_fields[detection_source]`
`properties.ServiceSource`	`security_result.detection_fields[service_source]`
`properties.Severity`	`security_result.severity`	If the `properties.Severity` log field value matches the regular expression pattern `(?i)(informational)`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`. Else, if the `properties.Severity` log field value matches the regular expression pattern `(?i)(low)`, then the `security_result.severity` UDM field is set to `LOW`. Else, if the `properties.Severity` log field value matches the regular expression pattern `(?i)(medium)`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `properties.Severity` log field value matches the regular expression pattern `(?i)(high)`, then the `security_result.severity` UDM field is set to `HIGH`.
`properties.Category`	`security_result.category_details`
`properties.Title`	`security_result.threat_name`
`properties.Title`	`security_result.rule_name`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceAlertEvents

下表列出了 DeviceAlertEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
	`is_alert`	The `is_alert` UDM field is set to `true`.
	`is_significant`	The `is_significant` UDM field is set to `true`.
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_HOST`.
`properties.ReportId`	`security_result.detection_fields[report_id]`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.MachineGroup`	`principal.group.group_display_name`
`properties.DeviceName`	`principal.hostname`
`properties.AttackTechniques`	`security_result.attack_details.techniques.name`
`properties.Category`	`security_result.category_details`
`properties.AlertId`	`metadata.product_log_id`
`properties.MitreTechniques`	`security_result.detection_fields[mitre_techniques]`
`properties.Severity`	`security_result.severity`	If the `properties.Severity` log field value is equal to `High`, then the `security_result.severity` UDM field is set to `HIGH`. Else, if the `properties.Severity` log field value is equal to `Medium`, then the `security_result.severity` UDM field is set to `MEDIUM`. Else, if the `properties.Severity` log field value is equal to `Low`, then the `security_result.severity` UDM field is set to `LOW`. Else, if the `properties.Severity` log field value is equal to `Informational`, then the `security_result.severity` UDM field is set to `INFORMATIONAL`.
`properties.Title`	`security_result.threat_name`
`properties.Title`	`security_result.rule_name`
`properties.RemoteIp`	`target.ip`
`properties.FileName`	`target.file.names`
`properties.SHA1`	`target.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.RemoteUrl`	`target.url`
`properties.Table`	`additional.fields[table]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceFileCertificateInfo

下表列出了 DeviceFileCertificateInfo 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`properties.ReportId`	`metadata.product_log_id`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.SHA1`	`principal.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.Issuer`	`principal.file.signature_info.sigcheck.signers.cert_issuer`
`properties.Signer`	`principal.file.signature_info.sigcheck.signers.name`
`properties.IsSigned`	`principal.file.signature_info.sigcheck.verified`	If the `properties.IsSigned` log field value is equal to `true`, then the `principal.file.signature_info.sigcheck.verified` UDM field is set to `TRUE`. Else, the `principal.file.signature_info.sigcheck.verified` UDM field is set to `FALSE`.
`properties.DeviceName`	`principal.hostname`
`properties.CertificateCountersignatureTime`	`additional.fields[certificate_countersignature_time]`
`properties.CertificateSerialNumber`	`additional.fields[certificate_serial_number]`
`properties.CertificateCreationTime`	`additional.fields[certification_creation_time]`
`properties.CertificateExpirationTime`	`additional.fields[certification_expiration_time]`
`properties.CrlDistributionPointUrls`	`additional.fields[crl_distribution_point_urls]`
`properties.IsRootSignerMicrosoft`	`additional.fields[is_root_signer_microsoft]`
`properties.IsTrusted`	`additional.fields[is_trusted]`
`properties.IssuerHash`	`additional.fields[issuer_hash]`
`properties.SignatureType`	`additional.fields[signature_type]`
`properties.SignerHash`	`additional.fields[signer_hash]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceImageLoadEvents

下表列出了 DeviceImageLoadEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_MODULE_LOAD`.
`properties.ReportId`	`metadata.product_log_id`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`principal.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{principal.DeviceId}`.
`properties.DeviceName`	`principal.hostname`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}`.
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3`.
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.FolderPath`	`target.process.file.full_path`	If the `properties.FolderPath` log field value matches the regular expression pattern the `properties.FileName`, then the `properties.FolderPath` log field is mapped to the `target.process.file.full_path` UDM field. Else, the `target.process.file.full_path`is set to `%{properties.FolderPath}/%{properties.FileName}`.
`properties.MD5`	`target.process.file.md5`	If the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.MD5` log field is mapped to the `target.process.file.md5` UDM field.
`properties.FileName`	`target.process.file.names`
`properties.SHA1`	`target.process.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.SHA1` log field is mapped to the `target.process.file.sha1` UDM field.
`properties.SHA256`	`target.process.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.SHA256` log field is mapped to the `target.process.file.sha256` UDM field.
`properties.FileSize`	`target.process.file.size`
`properties.FolderPath`	`target.file.full_path`	If the `properties.FolderPath` log field value matches the regular expression pattern the `properties.FileName`, then the `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, the `target.file.full_path`is set to `%{properties.FolderPath}/%{properties.FileName}`.
`properties.MD5`	`target.file.md5`	If the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.MD5` log field is mapped to the `target.process.file.md5` UDM field.
`properties.FileName`	`target.file.names`
`properties.SHA1`	`target.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceFileEvents

下表列出了 DeviceFileEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
`properties.ActionType`	`metadata.event_type`	If the `properties.ActionType` log field value is equal to `FileCreated`, then the `metadata.event_type` UDM field is set to `FILE_CREATION`. Else, if the `properties.ActionType` log field value is equal to `FileDeleted`, then the `metadata.event_type` UDM field is set to `FILE_DELETION`. Else, if the `properties.ActionType` log field value is equal to `FileModified`, then the `metadata.event_type` UDM field is set to `FILE_MODIFICATION`. Else, if the `properties.ActionType` log field value is equal to `FileRenamed`, then the `metadata.event_type` UDM field is set to `FILE_MOVE`.
`properties.ReportId`	`metadata.product_log_id`
`properties.RequestProtocol`	`network.application_protocol`	If the `properties.RequestProtocol` log field value is equal to `SMB`, then the `network.application_protocol` UDM field is set to `SMB`. Else, if the `properties.RequestProtocol` log field value is equal to `NFS`, then the `network.application_protocol` UDM field is set to `NFS`. Else, if the `properties.RequestProtocol` log field value is equal to `Local`, then the `network.application_protocol` UDM field is set to `UNKNOWN_APPLICATION_PROTOCOL`.
`properties.FileOriginReferrerUrl`	`network.http.referral_url`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`	If the `properties.InitiatingProcessAccountDomain` log field value is not empty, then the `properties.InitiatingProcessAccountDomain` log field is mapped to the `principal.administrative_domain` UDM field.
`properties.RequestAccountDomain`	`principal.administrative_domain`	If the `properties.InitiatingProcessAccountDomain` log field value is empty, then the `properties.RequestAccountDomain` log field is mapped to the `principal.administrative_domain` UDM field.
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.DeviceName`	`principal.hostname`
`properties.FileOriginIP`	`principal.ip`
`properties.RequestSourceIP`	`principal.ip`
`properties.RequestSourcePort`	`principal.port`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}`.
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3`.
`properties.FileOriginUrl`	`principal.url`
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`	If the `properties.InitiatingProcessAccountName` log field value is not empty, then the `properties.InitiatingProcessAccountName` log field is mapped to the `principal.user.userid` UDM field.
`properties.RequestAccountName`	`principal.user.userid`	If the `properties.InitiatingProcessAccountName` log field value is empty, then the `properties.RequestAccountName` log field is mapped to the `principal.user.userid` UDM field.
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`	If the `properties.InitiatingProcessAccountSid` log field value is not empty, then the `properties.InitiatingProcessAccountSid` log field is mapped to the `principal.user.windows_sid` UDM field.
`properties.RequestAccountSid`	`principal.user.windows_sid`	If the `properties.InitiatingProcessAccountSid` log field value is empty, then the `properties.RequestAccountSid` log field is mapped to the `principal.user.windows_sid` UDM field.
`properties.PreviousFolderPath`	`src.file.full_path`	If the `properties.PreviousFolderPath` log field value matches the regular expression pattern the `properties.PreviousFileName` log field value, then the `properties.PreviousFolderPath` log field is mapped to the `src.file.full_path` UDM field. Else, `src.file.full_path` set to the `%{properties.PreviousFolderPath}/%{properties.PreviousFileName}`.
`properties.PreviousFileName`	`src.file.names`
`properties.FolderPath`	`target.file.full_path`	If the `properties.FolderPath` log field value matches the regular expression pattern the `properties.FileName` log field value, then the `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, the `target.file.full_path` set to `%{properties.FolderPath}/%{properties.FileName}`.
`properties.MD5`	`target.file.md5`	If the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.MD5` log field is mapped to the `target.file.md5` UDM field.
`properties.FileName`	`target.file.names`
`properties.SHA1`	`target.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`
`properties.SensitivityLabel`	`target.file.tags`
`properties.SensitivitySubLabel`	`target.file.tags`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.IsAzureInfoProtectionApplied`	`additional.fields[is_azure_info_protection_applied]`
`properties.ShareName`	`additional.fields[share_name]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceInfo

下表列出了 DeviceInfo 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.DeviceId`	`entity.asset_id`	The `entity.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.DeviceId`	`entity.asset.asset_id`	The `entity.asset.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.AadDeviceId`	`entity.asset.attribute.labels[aad_device_id]`
`properties.AdditionalFields`	`entity.asset.attribute.labels[additional_fields]`
`properties.ConnectivityType`	`entity.asset.attribute.labels[connectivity_type]`
`properties.DeviceDynamicTags`	`entity.asset.attribute.labels[device_dynamic_tags]`
`properties.DeviceManualTags`	`entity.asset.attribute.labels[device_manual_tags]`
`properties.DeviceSubtype`	`entity.asset.attribute.labels[device_subtype]`
`properties.HostDeviceId`	`entity.asset.attribute.labels[host_device_id]`
`properties.IsAzureADJoined`	`entity.asset.attribute.labels[is_azure_ad_joined]`
`properties.IsInternetFacing`	`entity.asset.attribute.labels[is_internet_facing]`
`properties.JoinType`	`entity.asset.attribute.labels[join_type]`
`properties.MergedDeviceIds`	`entity.asset.attribute.labels[merged_device_ids]`
`properties.MergedToDeviceId`	`entity.asset.attribute.labels[merged_to_device_id]`
`properties.OnboardingStatus`	`entity.asset.attribute.labels[onboarding_status]`
`properties.OSArchitecture`	`entity.asset.attribute.labels[os_architecture]`
`properties.OSDistribution`	`entity.asset.attribute.labels[os_distribution]`
`properties.OSVersionInfo`	`entity.asset.attribute.labels[os_version_info]`
`properties.RegistryDeviceTag`	`entity.asset.attribute.labels[registry_divice_tag]`
`properties.ReportId`	`entity.asset.attribute.labels[report_id]`
`properties.SensorHealthState`	`entity.asset.attribute.labels[sensor_health_state]`
`properties.DeviceCategory`	`entity.asset.category`
`properties.Vendor`	`entity.asset.hardware.manufacturer`
`properties.Model`	`entity.asset.hardware.model`
`properties.DeviceName`	`entity.asset.hostname`
`properties.PublicIP`	`entity.asset.nat_ip`
`properties.OSBuild`	`entity.asset.platform_software.plateform_patch_level`
`properties.OSPlatform`	`entity.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos`, then the `entity.asset.platform_software.platform` UDM field is set to `MAC`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows`, then the `entity.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux`, then the `entity.asset.platform_software.platform` UDM field is set to `LINUX`.
`properties.OSVersion`	`entity.asset.platform_software.platform_version`
`properties.ClientVersion`	`entity.asset.software.version`
`properties.DeviceType`	`entity.asset.type`	If the `properties.DeviceType` log field value is equal to `NetworkDevice`, then the `entity.asset.type` UDM field is set to `NETWORK_ATTACHED_STORAGE`. Else, if the `properties.DeviceType` log field value is equal to `Workstation`, then the `entity.asset.type` UDM field is set to `WORKSTATION`. Else, if the `properties.DeviceType` log field value is equal to `Server`, then the `entity.asset.type` UDM field is set to `SERVER`. Else, if the `properties.DeviceType` log field value is equal to `Mobile`, then the `entity.asset.type` UDM field is set to `MOBILE`. Else if the `properties.DeviceType` log field value is equal to `Printer`, then the `entity.asset.type` UDM field is set to `PRINTER`.
`properties.DeviceType`	`entity.asset.attribute.labels`	if the `properties.DeviceType` log field value is equal to `GamingConsole`, then the `properties.DeviceType` log field is mapped to the `entity.asset.attribute.labels` UDM field.
`properties.MachineGroup`	`entity.group.group_display_name`
`properties.ExclusionReason`	`entity.security_result.detection_fields[exclusion_reason]`
`properties.ExposureLevel`	`entity.security_result.detection_fields[exposure_level]`
`properties.IsExcluded`	`entity.security_result.detection_fields[is_excluded]`
`properties.AssetValue`	`entity.security_result.priority`	If the `properties.AssetValue` log field value is equal to `High`, then the `entity.security_result.priority` UDM field is set to `HIGH_PRIORITY`. Else, if the `properties.AssetValue` log field value is equal to `Medium`, then the `entity.security_result.priority` UDM field is set to `MEDIUM_PRIORITY`. Else, if the `properties.AssetValue` log field value is equal to `Low`, then the `entity.security_result.priority` UDM field is set to `LOW_PRIORITY`. Else, the `properties.AssetValue` log field is mapped to the `entity.security_result.detection_fields.asset_value` UDM field.
`properties.Timestamp`	`metadata.creation_timestamp`
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `ASSET`.
`properties.DeviceId`	`metadata.product_entity_id`	The `metadata.product_entity_id` is set to `DeviceID:%{properties.DeviceId}`.
	`relations.direction`	The `relations.direction` UDM field is set to `UNIDIRECTIONAL`.
	`relations.entity_type`	The `relations.entity_type` UDM field is set to `USER`.
	`relations.relationship`	The `relations.relationship` UDM field is set to `MEMBER`.
`properties.LoggedOnUsers.DomainName`	`relations.entity.domain.name`
`properties.LoggedOnUsers.UserName`	`relations.entity.user.userid`
`properties.LoggedOnUsers.Sid`	`relations.entity.user.windows_sid`
`properties.LoggedOnUsers`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceIdentityLogonEvents

下表列出了 DeviceIdentityLogonEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Application`	`additional.fields[application]`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_HOST`.
`properties.DeviceId`	`principal.asset_id`	If the `properties.DeviceId` log field value is not empty, then the `AssetID:properties.DeviceId` log field is mapped to the `principal.asset_id` UDM field. else, then the `AssetID:properties.AdditionalFields.MachineId` log field is mapped to the `principal.asset_id` UDM field.
`properties.DeviceName`	`principal.hostname`	If the `properties.DeviceName` log field value is not empty, then the `properties.DeviceName` log field is mapped to the `principal.hostname` UDM field.
`properties.LocalIP`	`principal.asset.ip`	If the `properties.LocalIP` log field value is not empty, then the `properties.LocalIP` log field is mapped to the `principal.asset.ip` UDM field.
`properties.FolderPath`	`target.file.full_path`	If the `properties.FileName` log field value matches the regular expression pattern the `properties.FolderPath`, then the `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, the `properties.FolderPath/properties.FileName` log field is mapped to the `target.file.full_path` UDM field.
`properties.FileName`	`target.file.names`
`properties.SHA1`	`target.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^the 0-9a-f log field value+$`, then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^the a-f0-9, then 64$`, then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`
`properties.AccountDomain`	`principal.administrative_domain`
`properties.RemoteIP`	`target.ip`
`properties.AdditionalFields`	`additional.fields[additionalfields]`
`properties.ProcessCommandLine`	`target.process.command_line`
`properties.RegistryKey`	`target.registry.registry_key`
`properties.RegistryValueData`	`target.registry.registry_value_data`
`properties.RegistryValueName`	`target.registry.registry_value_name`
`properties.CloudPlatform`	`principal.resource.attribute.cloud.environment`	If the `properties.CloudPlatform` log field value matches the regular expression pattern `/(?i)Amazon Web Services/`, then the `principal.resource.attribute.cloud.environment` UDM field is set to `AMAZON_WEB_SERVICES`. Else, if the `properties.CloudPlatform` log field value matches the regular expression pattern `/(?i)Google Cloud Platform/`, then the `principal.resource.attribute.cloud.environment` UDM field is set to `GOOGLE_CLOUD_PLATFORM`. Else, if the `properties.CloudPlatform` log field value matches the regular expression pattern `/(?i)Azure/`, then the `principal.resource.attribute.cloud.environment` UDM field is set to `MICROSOFT_AZURE`. Else, the `principal.resource.attribute.cloud.environment` UDM field is set to `UNSPECIFIED_CLOUD_ENVIRONMENT`.
`properties.SubscriptionId`	`principal.resource.attribute.labels[subscription_id]`
`properties.CloudResource`	`principal.resource.name`
`properties.ResourceID`	`principal.resource.product_object_id`
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `CLOUD_PROJECT`.
`properties.Categories`	`security_result.category_details`
`properties.Severity`	`security_result.severity`
`properties.Title`	`security_result.summary`
`properties.ThreatFamily`	`security_result.threat_name`
`properties.RemoteUrl`	`target.url`
`properties.EvidenceDirection`	`principal.user.attribute.labels[evidence_direction]`
`properties.EvidenceRole`	`principal.user.attribute.labels[evidence_role]`
`properties.AccountObjectId`	`additional.fields[account_object_id]`
`properties.AccountUpn`	`principal.user.user_display_name`
`properties.AccountName`	`principal.user.userid`
`properties.AccountSid`	`principal.user.windows_sid`
`properties.Timestamp`	`metadata.event_timestamp`
`properties.EntityType`	`principal.resource.resource_subtype`
`properties.AlertId`	`metadata.product_log_id`
`properties.DetectionSource`	`security_result.about.resource.attribute.labels[detection_source]`
`properties.ServiceSource`	`security_result.about.resource.attribute.labels[service_source]`
`properties.AttackTechniques`	`security_result.attack_details.techniques.name`
`properties.ApplicationId`	`additional.fields[application_id]`
`properties.EmailSubject`	`network.email.subject`
`properties.NetworkMessageId`	`network.email.mail_id`
`properties.OAuthApplicationId`	`additional.fields[oauth_application_id]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceLogonEvents

下表列出了 DeviceLogonEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.LogonType`	`extensions.auth.mechanism`	If the `properties.LogonType` log field value is equal to `Interactive`, then the `extensions.auth.mechanism` UDM field is set to `INTERACTIVE`. Else, if the `properties.LogonType` log field value is equal to `Network`, then the `extensions.auth.mechanism` UDM field is set to `NETWORK`. Else, if the `properties.LogonType` log field value is equal to `Batch`, then the `extensions.auth.mechanism` UDM field is set to `BATCH`. Else, if the `properties.LogonType` log field value is equal to `Service`, then the `extensions.auth.mechanism` UDM field is set to `SERVICE`. Else, if the `properties.LogonType` log field value is equal to `RemoteInteractive`, then the `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`.
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
`properties.ReportId`	`metadata.product_log_id`
`properties.Protocol`	`network.ip_protocol`	If the `properties.Protocol` log field value is equal to `Tcp`, then the `network.ip_protocol` UDM field is set to `TCP`. If the `properties.Protocol` log field value is equal to `Udp`, then the `network.ip_protocol` UDM field is set to `UDP`. If the `properties.Protocol` log field value is equal to `Icmp`, then the `network.ip_protocol` UDM field is set to `ICMP`.
`properties.LogonId`	`network.session_id`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.DeviceName`	`principal.hostname`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}`.
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3`.
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.FailureReason`	`security_result.description`
`properties.AccountDomain`	`target.administrative_domain`
`properties.RemoteDeviceName`	`target.hostname`
`properties.RemoteIP`	`target.ip`
`properties.RemotePort`	`target.port`
`properties.IsLocalAdmin`	`target.resource.attribute.labels[is_local_admin]`
`properties.AccountName`	`target.user.userid`
`properties.AccountSid`	`target.user.windows_sid`
`properties.RemoteIPType`	`additional.fields[remote_ip_type]`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceNetworkEvents

下表列出了 DeviceNetworkEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
`properties.ReportId`	`metadata.product_log_id`
`properties.Protocol`	`network.ip_protocol`	If the `properties.Protocol` log field value is equal to `Tcp`, then the `network.ip_protocol` UDM field is set to `TCP`. Else, if the `properties.Protocol` log field value is equal to `Udp`, then the `network.ip_protocol` UDM field is set to `UDP`. Else, if the `properties.Protocol` log field value is equal to `Icmp`, then the `network.ip_protocol` UDM field is set to `ICMP`.
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.DeviceName`	`principal.hostname`
`properties.LocalIP`	`principal.ip`
`properties.LocalPort`	`principal.port`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}`.
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3`.
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.RemoteIP`	`target.ip`
`properties.RemotePort`	`target.port`
`properties.RemoteUrl`	`target.url`
`properties.LocalIPType`	`additional_fields[LocalIPType]`
`properties.RemoteIPType`	`additional_fields[RemoteIPType]`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceNetworkInfo

下表列出了 DeviceNetworkInfo 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`DeviceNetworkInfo`
`properties.DeviceId`	`entity.asset_id`	The `entity.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.DeviceId`	`entity.asset.asset_id`	The `entity.asset.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.ReportId`	`entity.asset.attribute.labels[report_id]`
`properties.ConnectedNetworks`	`entity.asset.attribute.labels[connected_networks]`
`properties.MacAddress`	`entity.asset.mac`
`properties.NetworkAdapterName`	`entity.asset.attribute.labels[network_adapter_name]`
`properties.NetworkAdapterStatus`	`entity.asset.attribute.labels[network_adapter_status]`
`properties.NetworkAdapterType`	`entity.asset.attribute.labels[network_adapter_type]`
`properties.NetworkAdapterVendor`	`entity.asset.attribute.labels[network_adapter_vendor]`
`properties.TunnelType`	`entity.asset.attribute.labels[tunnel_type]`
`properties.DefaultGateways`	`entity.asset.attribute.labels[default_gateways]`
`properties.DeviceName`	`entity.asset.hostname`
`properties.IPAddresses`	`entity.asset.ip`
	`entity.asset.type`	The `entity.asset.type` UDM field is set to `WORKSTATION`.
`properties.DnsAddresses`	`entity.domain.last_dns_records.type`	The `entity.domain.last_dns_records.type` UDM field is set to `ip_address`.
`properties.DnsAddresses`	`entity.domain.last_dns_records.value`	The `properties.DnsAddresses` log field is mapped to the `entity.domain.last_dns_records.value` UDM field.
`properties.IPv4Dhcp`	`entity.network.dhcp.ciaddr`	If the `properties.IPv4Dhcp` log field value is not empty, then the `properties.IPv4Dhcp` log field is mapped to the `entity.network.dhcp.ciaddr` UDM field. Else, the `properties.IPv6Dhcp` log field is mapped to the `entity.network.dhcp.ciaddr` UDM field.
`properties.Timestamp`	`metadata.creation_time`
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `ASSET`.
`properties.DeviceId`	`metadata.product_entity_id`	The `metadata.product_entity_id` is set to `DeviceID:%{properties.DeviceId}`.

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceProcessEvents

下表列出了 DeviceProcessEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
`properties.ActionType`	`metadata.event_type`	If the `properties.ActionType` log field value matches the regular expression pattern `(?i)ProcessCreated`, then the `metadata.event_type` UDM field is set to `PROCESS_LAUNCH`. Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)OpenProcess`, then the `metadata.event_type` UDM field is set to `PROCESS_OPEN`.
`properties.ReportId`	`metadata.product_log_id`
`properties.LogonId`	`network.session_id`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.DeviceName`	`principal.hostname`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}`.
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessSignatureStatus`	`principal.process.file.signature_info.sigcheck.signers.status`
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3`
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.AccountDomain`	`target.administrative_domain`
`properties.FolderPath`	`target.file.full_path`	If the `properties.FolderPath` log field value matches the regular expression pattern the `properties.FileName` log field value, then the `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, the `target.file.full_path` set to `%{properties.FolderPath}/%{properties.FileName}`.
`properties.MD5`	`target.process.file.md5`	If the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.MD5` log field is mapped to the `target.file.md5` UDM field.
`properties.FileName`	`target.process.file.names`
`properties.SHA1`	`target.process.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.process.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.process.file.size`
`properties.ProcessCommandLine`	`target.process.command_line`
`properties.ProcessId`	`target.process.pid`
`properties.ProcessTokenElevation`	`target.process.token_elevation_type`	If the `properties.ProcessTokenElevation` log field value is equal to `TokenElevationTypeFull`, then the `target.process.token_elevation_type` UDM field is set to `TYPE_1`. Else, if the `properties.ProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault`, then the `target.process.token_elevation_type` UDM field is set to `TYPE_2`. Else, if the `properties.ProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited`, then the `target.process.token_elevation_type` UDM field is set to `TYPE_3`.
`properties.ProcessIntegrityLevel`	`target.resource.attribute.labels[process_integrity_level]`
`properties.AccountUpn`	`target.user.user_display_name`
`properties.AccountName`	`target.user.userid`
`properties.AccountSid`	`target.user.windows_sid`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.AccountObjectId`	`additional.fields[account_object_id]`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessLogonId`	`additional.fields[initiating_process_logon_id]`
`properties.InitiatingProcessSignerType`	`additional.fields[initiating_process_signer_type]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`
`properties.ProcessCreationTime`	`additional.fields[process_creation_time]`
`properties.ProcessVersionInfoCompanyName`	`target.process.file.exif_info.company`
`properties.ProcessVersionInfoFileDescription`	`target.process.file.exif_info.file_description`
`properties.ProcessVersionInfoInternalFileName`	`additional.fields[process_version_info_internal_file_name]`
`properties.ProcessVersionInfoOriginalFileName`	`target.process.file.exif_info.original_file`
`properties.ProcessVersionInfoProductName`	`target.process.file.exif_info.product`
`properties.ProcessVersionInfoProductVersion`	`additional.fields[process_version_info_product_version]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGathering

下表列出了 DeviceTvmInfoGathering 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_HOST`.
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos`, then the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`.
`properties.OSPlatform`	`principal.asset.platform_software.platform_version`
`properties.DeviceName`	`principal.hostname`
`properties.LastSeenTime`	`security.result.last_discovered_time`
`properties.AdditionalFields`	`additional.fields[additional_fields]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceRegistryEvents

下表列出了 DeviceRegistryEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
`properties.ActionType`	`metadata.event_type`	If the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryKeyCreated`, then the `metadata.event_type` UDM field is set to `REGISTRY_CREATION`. Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryKeyDeleted`, then the `metadata.event_type` UDM field is set to `REGISTRY_DELETION`. Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryKeyRenamed`, then the `metadata.event_type` UDM field is set to `REGISTRY_MODIFICATION`. Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryValueDeleted`, then the `metadata.event_type` UDM field is set to `REGISTRY_DELETION`. Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryValueSet`, then the `metadata.event_type` UDM field is set to `REGISTRY_MODIFICATION`. Else, the `metadata.event_type` UDM field is set to `REGISTRY_UNCATEGORIZED`.
`properties.ReportId`	`metadata.product_log_id`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.DeviceName`	`principal.hostname`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}`.
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$`, then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.PreviousRegistryValueData`	`principal.registry.registry_value_data`
`properties.PreviousRegistryKey`	`principal.registry.registry_key`
`properties.PreviousRegistryValueName`	`principal.registry.registry_value_name`
`properties.InitiatingProcessAccountObjectId`	`principal.user.attribute.labels[initiating_process_account_object_id]`
`properties.InitiatingProcessAccountUpn`	`principal.user.attribute.labels[initiating_process_account_upn]`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2`. Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited`, then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3`.
`properties.RegistryValueData`	`target.registry.registry_value_data`
`properties.RegistryKey`	`target.registry.registry_key`
`properties.RegistryValueName`	`target.registry.registry_value_name`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`
`properties.RegistryValueType`	`additional.fields[registry_value_type]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGatheringKB

下表列出了 DeviceTvmInfoGatheringKB 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Description`	`metadata.description`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
`properties.IgId`	`metadata.product_log_id`
`properties.Categories`	`principal.resource.attribute.labels[categories]`
`properties.DataStructure`	`principal.resource.attribute.labels[data_structure]`
`properties.FieldName`	`principal.resource.name`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessment

下表列出了 DeviceTvmSecureConfigurationAssessment 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_UNCATEGORIZED`.
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos`, then the `prinipal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`.
`properties.DeviceName`	`principal.hostname`
`properties.ConfigurationCategory`	`principal.resource.attribute.labels[configuration_category]`
`properties.ConfigurationImpact`	`principal.resource.attribute.labels[configuration_impact]`
`properties.Context`	`principal.resource.attribute.labels[contex]`
`properties.IsApplicable`	`principal.resource.attribute.labels[is_applicable]`
`properties.IsCompliant`	`principal.resource.attribute.labels[is_compliant]`
`properties.IsExpectedUserImpact`	`principal.resource.attribute.labels[is_expected_user_impact]`
`properties.ConfigurationId`	`principal.resource.product_object_id`
`properties.ConfigurationSubcategory`	`principal.resource.resource_subtype`
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `ACCESS_POLICY`.

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessmentKB

下表列出了 DeviceTvmSecureConfigurationAssessmentKB 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
`properties.ConfigurationBenchmarks`	`principal.resource.attribute.labels[configuration_benchmarks]`
`properties.ConfigurationCategory`	`principal.resource.attribute.labels[configuration_category]`
`properties.ConfigurationDescription`	`principal.resource.attribute.labels[configuration_description]`
`properties.ConfigurationImpact`	`principal.resource.attribute.labels[configuration_impact]`
`properties.RemediationOptions`	`principal.resource.attribute.labels[remediation_options]`
`properties.RiskDescription`	`principal.resource.attribute.labels[risk_description]`
`properties.Tags`	`principal.resource.attribute.labels[tags]`
`properties.ConfigurationName`	`principal.resource.name`
`properties.ConfigurationId`	`principal.resource.product_object_id`
`properties.ConfigurationSubcategory`	`principal.resource.resource_subtype`
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `ACCESS_POLICY`.

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareEvidenceBeta

下表列出了 DeviceTvmSoftwareEvidenceBeta 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.DiskPaths`	`principal.asset.attribute.labels[disk_paths]`	The `properties.DiskPaths` log field is mapped to the `principal.asset.attribute.labels.disk_paths` UDM field.
`properties.RegistryPaths`	`principal.asset.attribute.labels[registry_paths]`	The `properties.RegistryPaths` log field is mapped to the `principal.asset.attribute.labels.registry_paths` UDM field.
`properties.LastSeenTime`	`principal.asset.last_discover_time`
`properties.SoftwareName`	`principal.asset.software.name`
`properties.SoftwareVendor`	`principal.asset.software.vendor_name`
`properties.SoftwareVersion`	`principal.asset.software.version`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareInventory

下表列出了 DeviceTvmSoftwareInventory 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.EndOfSupportDate`	`principal.asset.attribute.labels[end_of_support_date]`
`properties.EndOfSupportStatus`	`principal.asset.attribute.labels[end_of_support_status]`
`properties.OSArchitecture`	`principal.asset.attribute.labels[os_architecture]`
`properties.ProductCodeCpe`	`principal.asset.attribute.labels[product_code_cpe]`
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos`, then the `prinipal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`.
`properties.OSVersion`	`principal.asset.platform_software.platform_version`
`properties.SoftwareName`	`principal.asset.software.name`
`properties.SoftwareVendor`	`principal.asset.software.vendor_name`
`properties.SoftwareVersion`	`principal.asset.software.version`
`properties.DeviceName`	`principal.hostname`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilities

下表列出了 DeviceTvmSoftwareVulnerabilities 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.CveId`	`extensions.vulns.vulnerabilities.cve_id`
`properties.VulnerabilityLevel`	`extensions.vulns.vulnerabilities.severity`	If the `properties.VulnerabilityLevel` log field value is equal to `High`, then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `HIGH`. Else, if the `properties.VulnerabilityLevel` log field value is equal to `Medium`, then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `MEDIUM`. Else, if the `properties.VulnerabilityLevel` log field value is equal to `Low`, then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `LOW`. Else, if the `properties.VulnerabilityLevel` log field value is equal to `Informational`, then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `INFORMATIONAL`.
`properties.SeverityLevel`	`extensions.vulns.vulnerablitities.severity_details`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_VULN_HOST`.
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}`.
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos`, then the `principal.asset.platform_software.platform` UDM field is set to `MAC`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows`, then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS`. Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux`, then the `principal.asset.platform_software.platform` UDM field is set to `LINUX`.
`properties.OSVersion`	`principal.asset.platform_software.platform_version`
`properties.SoftwareName`	`principal.asset.software.name`
`properties.SoftwareVendor`	`principal.asset.software.vendor_name`
`properties.SoftwareVersion`	`principal.asset.software.version`
`properties.DeviceName`	`principal.hostname`
`properties.RecommendedSecurityUpdateId`	`security_result.detection_fields[recommended_security_update_id]`
`properties.RecommendedSecurityUpdate`	`security_result.detection_fields[recommended_security_update]`
`properties.CveTags`	`additional.fields[cve_tags]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilitiesKB

下表列出了 DeviceTvmSoftwareVulnerabilitiesKB 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
`properties.CveId`	`extensions.vulns.vulnerabilities.cve_id`
`properties.CvssScore`	`extensions.vulns.vulnerablities.cvss_base_score`
`properties.IsExploitAvailable`	`extensions.vulns.vulnerablities.cvss_vector`
`properties.VulnerabilitySeverityLevel`	`extensions.vulns.vulnerabilities.severity`	If the `properties.VulnerabilitySeverityLevel` log field value is equal to `High`, then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `HIGH`. Else, if the `properties.VulnerabilitySeverityLevel` log field value is equal to `Medium`, then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `MEDIUM`. Else, if the `properties.VulnerabilitySeverityLevel` log field value is equal to `Low`, then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `LOW`. Else, if the `properties.VulnerabilitySeverityLevel` log field value is equal to `Informational`, then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `INFORMATIONAL`. Else, the `extensions.vulns.vulnerabilities.severity` UDM field is set to `UNKNOWN_SEVERITY`.
`properties.VulnerabilitySeverityLevel`	`extensions.vulns.vulnerablitities.severity_details`
`properties.LastModifiedTime`	`extensions.vulns.vulnerabilities.scan_end_time`
`properties.PublishedDate`	`extensions.vulns.vulnerabilities.first_found`
`properties.VulnerabilityDescription`	`extensions.vulns.vulnerabilities.cve_description`
`properties.AffectedSoftware`	`extensions.vulns.vulnerabilities.description`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - EmailAttachmentInfo

下表列出了 EmailAttachmentInfo 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.FileType`	`target.file.mime_type`
`properties.FileName`	`target.file.names`
`properties.SHA256`	`target.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$`, then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `EMAIL_TRANSACTION`.
`properties.ReportId`	`metadata.product_log_id`
`properties.SenderFromAddress`	`network.email.from`	If the `properties.SenderFromAddress` log field value matches the regular expression pattern `^.+@.+$`, then the `properties.SenderFromAddress` log field is mapped to the `network.email.from` UDM field.
`properties.NetworkMessageId`	`network.email.mail_id`
`properties.RecipientEmailAddress`	`network.email.to`	If the `properties.RecipientEmailAddress` log field value matches the regular expression pattern `^.+@.+$`, then the `properties.RecipientEmailAddress` log field is mapped to the `network.email.to` UDM field.
`properties.SenderFromAddress`	`principal.user.email_addresses`	If the `properties.SenderFromAddress` log field value matches the regular expression pattern `^.+@.+$`, then the `properties.SenderFromAddress` log field is mapped to the `principal.user.email_addresses` UDM field.
`properties.SenderObjectId`	`principal.user.product_object_id`
`properties.SenderDisplayName`	`principal.user.user_display_name`
`properties.ThreatTypes`	`security_result.category`	If the `properties.ThreatTypes` log field value is equal to `Phish`, then the `security_result.category` UDM field is set to `MAIL_PHISHING`.
`properties.DetectionMethods`	`security_result.detection_fields[detection_methods]`
`properties.ThreatNames`	`security_result.threat_name`
`properties.RecipientEmailAddress`	`target.user.email_addresses`	If the `properties.RecipientEmailAddress` log field value matches the regular expression pattern `^.+@.+$`, then the `properties.RecipientEmailAddress` log field is mapped to the `target.user.email_addresses` UDM field.
`properties.RecipientObjectId`	`target.user.product_object_id`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - EmailEvents

下表列出了 EmailEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `EMAIL_TRANSACTION`.
`properties.ReportId`	`metadata.product_log_id`
`properties.EmailDirection`	`network.direction`	If the `properties.EmailDirection` log field value is equal to `Inbound`, then the `network.direction` UDM field is set to `INBOUND`. Else, if the `properties.EmailDirection` log field value is equal to `Outbound`, then the `network.direction` UDM field is set to `OUTBOUND`. Else, the `network.direction` UDM field is set to `UNKNOWN_DIRECTION`.
`properties.NetworkMessageId`	`network.email.mail_id`
`properties.Subject`	`network.email.subject`
`properties.RecipientEmailAddress`	`network.email.to`
`properties.SenderFromDomain`	`principal.administrative_domain`
`properties.SenderIPv4`	`principal.ip`
`properties.SenderIPv6`	`principal.ip`
`properties.SenderMailFromAddress`	`principal.user.attribute.labels[sender_mail_from_address]`
`properties.SenderFromAddress`	`principal.user.email_addresses`	If the `properties.SenderFromAddress` log field value matches the regular expression pattern `^.+@.+$`, then the `properties.SenderFromAddress` log field is mapped to the `principal.user.email_addresses` UDM field.
`properties.SenderMailFromDomain`	`principal.user.attribute.labels[sender_mail_from_domain]`
`properties.SenderObjectId`	`principal.user.product_object_id`
`properties.SenderDisplayName`	`principal.user.user_display_name`
`properties.ThreatTypes`	`security_result.category`	If the `properties.ThreatTypes` log field value is equal to `Phish`, then the `security_result.category` UDM field is set to `MAIL_PHISHING`.
`properties.ThreatTypes`	`security_result.category_details`
`properties.ConfidenceLevel`	`security_result.confidence_details`
`properties.EmailAction`	`security_result.description`
`properties.AuthenticationDetails`	`security_result.detection_fields[authentication_details]`
`properties.BulkComplaintLevel`	`security_result.detection_fields[bulk_complaint_level]`
`properties.DetectionMethods`	`security_result.detection_fields[detection_methods]`
`properties.EmailActionPolicyGuid`	`security_result.rule_id`
`properties.EmailActionPolicy`	`security_result.rule_name`
`properties.ThreatNames`	`security_result.threat_name`
`properties.OrgLevelAction`	`security_result.rule_labels[org_level_action]`
`properties.OrgLevelPolicy`	`security_result.rule_labels[org_level_policy]`
`properties.UserLevelAction`	`security_result.rule_labels[user_level_action]`
`properties.UserLevelPolicy`	`security_result.rule_labels[user_level_policy]`
`properties.RecipientEmailAddress`	`target.user.email_addresses`	If the `properties.RecipientEmailAddress` log field value matches the regular expression pattern `^.+@.+$`, then the `properties.RecipientEmailAddress` log field is mapped to the `target.user.email_addresses` UDM field.
`properties.RecipientObjectId`	`target.user.product_object_id`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.DeliveryAction`	`additional.fields[delivery_action]`
`properties.DeliveryLocation`	`additional.fields[delivery_location]`	The `properties.DeliveryLocation` log field is mapped to the `additional.fields.delivery_location` UDM field.
`properties.EmailClusterId`	`additional.fields[email_cluster_id]`
`properties.EmailLanguage`	`additional.fields[email_language]`
`properties.InternetMessageId`	`additional.fields[internet_message_id]`
`properties.LatestDeliveryLocation`	`additional.fields[last_delivery_location]`
`properties.UrlCount`	`additional.fields[connectors]`
`properties.Connectors`	`additional.fields[attachment_count]`
`properties.AttachmentCount`	`additional.fields[latest_delivery_action]`
`properties.LatestDeliveryAction`	`additional.fields[latest_delivery_action]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - EmailPostDeliveryEvents

下表列出了 EmailPostDeliveryEvents 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `EMAIL_UNCATEGORIZED`.
`properties.ReportId`	`security_result.detection_fields[report_id]`
`properties.NetworkMessageId`	`network.email.mail_id`
`properties.ActionResult`	`security_result.summary`
`properties.ThreatTypes`	`security_result.category`	If the `properties.ThreatTypes` log field value is equal to `Phish`, then the `security_result.category` UDM field is set to `MAIL_PHISHING`.
`properties.ThreatTypes`	`security_result.category_details`
`properties.ActionTrigger`	`security_result.detection_fields[action_trigger]`
`properties.DeliveryLocation`	`security_result.detection_fields[delivery_location]`
`properties.DetectionMethods`	`security_result.detection_fields[detection_methods]`
`properties.Action`	`security_result.action_details`
`properties.ActionType`	`security_result.verdict_info.verdict_type`	If the `properties.ActionType` log field value is equal to `Manual Remediation`, then the `security_result.verdict_info.verdict_type` UDM field is set to `ANALYST_VERDICT`. Else, if the `properties.ActionType` log field contains one of the following values, then the `security_result.verdict_info.verdict_type` UDM field is set to `PROVIDER_ML_VERDICT`. `Phish ZAP` `Malware ZAP` `Spam ZAP` .
`properties.RecipientEmailAddress`	`target.user.email_addresses`	If the `properties.RecipientEmailAddress` log field value matches the regular expression pattern `^.+@.+$`, then the `properties.RecipientEmailAddress` log field is mapped to the `target.user.email_addresses` UDM field.
`properties.InternetMessageId`	`additional.fields[internet_message_id]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - EmailUrlInfo

下表列出了 EmailUrlInfo 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.UrlDomain`	`target.hostname`
`properties.Url`	`target.url`
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `EMAIL_TRANSACTION`.
`properties.ReportId`	`metadata.product_log_id`
`properties.NetworkMessageId`	`network.email.mail_id`
`properties.UrlLocation`	`additional.fields[url_location]`

字段映射参考信息：MICROSOFT DEFENDER ENDPOINT - IdentityInfo

下表列出了 IdentityInfo 日志类型的日志字段及其对应的 UDM 字段：

Log field	UDM mapping	Logic
`properties.SourceSystem`	`entity.resource.parent`
`properties.AccountDomain`	`entity.administrative_domain`
`properties.TenantId`	`entity.resource.product_object_id`
`properties.CreatedDateTime`	`entity.user.attribute.creation_time`
`properties.AccountUpn`	`entity.user.attribute.labels[account_upn]`
`properties.ChangeSource`	`entity.user.attribute.labels[change_source]`
`properties.CloudSid`	`entity.user.attribute.labels[cloud_sid]`
`properties.ReportId`	`entity.user.attribute.labels[report_id]`
`properties.SipProxyAddress`	`entity.user.attribute.labels[sip_proxy_address]`
`properties.SourceProvider`	`entity.user.attribute.labels[source_provider]`
`properties.Tags`	`entity.user.attribute.labels[tags]`
`properties.Type`	`entity.user.attribute.role.name`
`properties.DistinguishedName`	`entity.user.attributes.labels[distinguished_name]`
`properties.Department`	`entity.user.department`
`properties.EmailAddress`	`entity.user.email_addresses`	If the `properties.EmailAddress` log field value matches the regular expression pattern `^.+@.+$`, then the `properties.EmailAddress` log field is mapped to the `entity.user.email_addresses` UDM field.
`properties.GivenName`	`entity.user.first_name`
`properties.Surname`	`entity.user.last_name`
`properties.Manager`	`entity.user.managers.user_display_name`
`properties.City`	`entity.user.personal_address.city`
`properties.Country`	`entity.user.personal_address.country_or_region`
`properties.Address`	`entity.user.personal_address.name`
`properties.Phone`	`entity.user.phone_numbers`
`properties.AccountObjectId`	`entity.user.product_object_id`
`properties.AssignedRoles`	`entity.user.role_description`
`properties.JobTitle`	`entity.user.title`
`properties.IsAccountEnabled`	`entity.user.user_authentication_status`	If the `properties.IsAccountEnabled` log field value is equal to `1`, then the `entity.user.user_authentication_status` UDM field is set to `ACTIVE`. Else, the `entity.user.user_authentication_status` UDM field is set to `SUSPENDED`.
`properties.AccountDisplayName`	`entity.user.user_display_name`
`properties.AccountName`	`entity.user.userid`
`properties.OnPremSid`	`entity.user.attribute.labels[on_prem_sid]`
`properties.Timestamp`	`metadata.creation_time`
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `USER`.
`properties.AccountObjectId`	`metadata.product_entity_id`

后续步骤

将数据注入到 Google SecOps