Collect Microsoft Graph security API alert logs

Supported in:

This document describes how you can collect Microsoft Graph security API alerts logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the MICROSOFT_GRAPH_ALERT ingestion label.

Configure Microsoft Graph security API alerts

  1. Sign in to the Azure portal.
  2. Click Azure Active Directory.
  3. Click App Registrations.
  4. Click New registrations and create an application.
  5. Copy Client ID and Tenant ID, which are required when you configure the Google Security Operations feed.
  6. Click API permissions.
  7. Click Add a permission and then select Microsoft Graph in the new pane.
  8. Click Application Permissions.
  9. Expand the SecurityActions and SecurityEvents sections, and select Read.All permissions.
  10. Click Add permissions.
  11. Click Grant Admin consent for Default Directory.
  12. In the Manage menu, click Certificates & secrets.
  13. Click New Client secret, and create a new key.
  14. Copy the secret key from the Value field. The secret key is displayed only at the time of creation and is required when you configure the Google Security Operations feed.

Configure a Google Security Operations feed to ingest Microsoft Graph Security API alert logs

  1. From the Google Security Operations menu, select Settings, and then click Feeds.
  2. Click Add New.
  3. Select Third party API as the Source Type.
  4. To create a feed for Microsoft Graph security API alerts, select Microsoft Graph API Alerts as the Log Type.
  5. Click Next.
  6. Configure the following input parameters:
    • OAuth Client ID: specify the client ID that you obtained previously.
    • OAuth Client Secret: specify the client secret that you obtained previously.
    • TenantId: specify the tenant ID that you obtained previously.
    • API Full Path: specify the following path: graph.microsoft.com/v1.0/security/alerts.
    • API Authentication Endpoint: specify the following endpoint: https://login.microsoftonline.com/{tenantId}/oauth2/token
  7. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.

If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser transforms Microsoft Graph Alerts (JSON) into the Chronicle UDM. It extracts fields, maps them to UDM, handles nested structures like userStates, processes, and networkConnections, enriches data with MITRE ATT&CK mappings, and performs specific logic based on the alert title and description for accurate representation in Chronicle.

UDM Mapping Table

Log Field UDM Mapping Logic
assignedTo security_result.detection_fields[].value The value of assignedTo is placed in a detection_fields object with the corresponding key "assignedTo".
azureTenantId metadata.product_deployment_id Direct mapping.
category security_result.summary Direct mapping. Also used as the value for metadata.product_event_type if no other value is present.
classification security_result.detection_fields[].value The value of classification is placed in a detection_fields object with the corresponding key "classification". Also used as the value for metadata.product_event_type if no other value is present.
clientApplication vendorInformation.provider Used as the value for vendorInformation.provider if the original vendorInformation.provider is empty.
cloudAppStates[].destinationServiceName target.application (index 0), about[].application (subsequent indices) The destinationServiceName of the first element in cloudAppStates is mapped to target.application. Subsequent elements are mapped to about[].application.
comments[].comment security_result.detection_fields[].value The value of each comment in comments is placed in a detection_fields object with the corresponding key "comment {index}".
comments[].createdByDisplayName security_result.detection_fields[].value The value of each createdByDisplayName in comments is placed in a detection_fields object with the corresponding key "createdByDisplayName {index}".
comments[].createdDateTime security_result.detection_fields[].value The value of each createdDateTime in comments is placed in a detection_fields object with the corresponding key "createdDateTime {index}".
compromisedEntity principal.hostname, principal.asset.hostname Used as the value for principal.hostname and principal.asset.hostname if CustomProperties is present.
createdDateTime metadata.collected_timestamp Parsed as a timestamp and mapped.
CustomProperties Various Parsed as JSON and used to populate several UDM fields, including principal.hostname, principal.ip, target.ip, target.port, network.application_protocol, and security_result.detection_fields[]. Specific logic for each field is detailed in the parser code.
description security_result.description, metadata.description Direct mapping to security_result.description. Also mapped to metadata.description if present. Used to extract principal.hostname if it matches specific patterns.
detectorId security_result.detection_fields[].value The value of detectorId is placed in a detection_fields object with the corresponding key "detectorId".
determination security_result.detection_fields[].value The value of determination is placed in a detection_fields object with the corresponding key "determination".
detectionSource security_result.detection_fields[].value The value of detectionSource is placed in a detection_fields object with the corresponding key "detectionSource".
eventDateTime metadata.event_timestamp Parsed as a timestamp and mapped. Used as fallback for event_time if firstActivityDateTime and properties.detectedTimeUtc are not present.
evidence[] Various Parsed as JSON and used to populate several UDM fields, primarily related to principal, target, and intermediary objects. Specific logic for each field is detailed in the parser code.
fileStates[].fileHash.hashValue target.file.sha1, target.file.sha256, about[].file.sha1, about[].file.sha256 Mapped to the appropriate SHA hash field based on hashType.
fileStates[].name target.file.full_path (part), about[].file.full_path (part) Used in conjunction with path to construct the full_path for target.file or about[].file.
fileStates[].path target.file.full_path, about[].file.full_path Used in conjunction with name to construct the full_path for target.file or about[].file.
firstActivityDateTime event_time Parsed as a timestamp and mapped. Used as preferred value for event_time if present.
hostStates[].fqdn target.hostname, target.asset.hostname, about[].hostname Mapped to target.hostname and target.asset.hostname for the first element in hostStates. Subsequent elements are mapped to about[].hostname.
hostStates[].netBiosName target.hostname, target.asset.hostname, about[].hostname Used as fallback for hostname if fqdn is not present.
hostStates[].os target.platform, target.asset.platform_software.platform, about[].platform Mapped to the appropriate platform value (WINDOWS, LINUX, MAC) based on the value of os.
hostStates[].privateIpAddress target.ip, target.asset.ip, about[].ip Mapped to target.ip and target.asset.ip for the first element in hostStates. Subsequent elements are mapped to about[].ip.
hostStates[].publicIpAddress target.ip, target.asset.ip, about[].ip Mapped to target.ip and target.asset.ip for the first element in hostStates. Subsequent elements are mapped to about[].ip.
id metadata.product_log_id Direct mapping.
incidentId security_result.detection_fields[].value The value of incidentId is placed in a detection_fields object with the corresponding key "incidentId".
incidentWebUrl security_result.url_back_to_product Direct mapping.
lastModifiedDateTime metadata.event_timestamp Parsed as a timestamp and mapped. Used as fallback for event_time if other timestamp fields are not present.
lastUpdateDateTime security_result.detection_fields[].value, event_time The value of lastUpdateDateTime is placed in a detection_fields object with the corresponding key "lastUpdateDateTime". Also parsed as a timestamp and mapped to event_time if present.
malwareStates[].name security_result.threat_name Direct mapping.
mitreTechniques[] security_result.attack_details.techniques[], security_result.attack_details.tactics[] Used to populate security_result.attack_details.techniques[] and security_result.attack_details.tactics[] based on MITRE mappings.
name idm.read_only_udm.security_result.rule_name Used as the value for security_result.rule_name if title is empty.
networkConnections[].destinationPort target.port (index 0) Mapped for the first element in networkConnections. Converted to an integer.
networkConnections[].destinationUrl target.hostname, target.asset.hostname, about[].url Used to extract the hostname and map it to target.hostname and target.asset.hostname for the first element in networkConnections. Subsequent elements are mapped to about[].url.
networkConnections[].protocol network.ip_protocol Converted to uppercase and mapped.
networkConnections[].sourceAddress principal.ip, principal.asset.ip, about[].ip Mapped to principal.ip and principal.asset.ip for the first element in networkConnections. Subsequent elements are mapped to about[].ip.
networkConnections[].sourceLocation principal.location, about[].location Parsed and mapped to principal.location for the first element in networkConnections. Subsequent elements are parsed and mapped to about[].location.
processes[] target.process, about[].process Used to populate fields related to target.process for the first element in processes. Subsequent elements are mapped to about[].process.
productName metadata.product_name Direct mapping.
properties.alertDisplayName security_result.rule_name Used as the value for security_result.rule_name if title is empty.
properties.alertName security_result.summary Used as the value for security_result.summary if category is empty. Also used as the value for security_result.rule_name if both title and properties.alertName are empty.
properties.detectedTimeUtc event_time Parsed as a timestamp and mapped. Used as fallback for event_time if firstActivityDateTime is not present.
properties.description security_result.description Used as the value for security_result.description if the original description is empty.
properties.extendedProperties.'client Application' vendorInformation.provider Used as the value for vendorInformation.provider if the original vendorInformation.provider is empty.
properties.extendedProperties.'client Hostname' principal.hostname Direct mapping.
properties.extendedProperties.'client IP Address' principal.ip, principal.asset.ip Direct mapping.
properties.extendedProperties.'client Principal Name' target.user.userid, security_result.about.user.email_addresses Mapped to target.user.userid. If it's an email address, it's also added to security_result.about.user.email_addresses.
properties.remediationSteps security_result.action_details Direct mapping.
properties.reportedSeverity security_result.severity Used as the value for security_result.severity if the original severity is empty. Converted to uppercase.
properties.state security_result.detection_fields[].value The value of properties.state is placed in a detection_fields object with the corresponding key "Status".
recommendedActions security_result.action_details Used to construct security_result.action_details by concatenating all elements. Also used as the value for security_result.action_details if the original recommendedActions is not an array.
resolvedDateTime security_result.detection_fields[].value The value of resolvedDateTime is placed in a detection_fields object with the corresponding key "resolvedDateTime".
securityResources[].resource security_result.about.resource.name Direct mapping.
securityResources[].resourceType security_result.about.resource.resource_subtype Direct mapping.
serviceSource metadata.product_name Used to construct metadata.product_name if productName and vendorInformation.provider are empty. The value is parsed to remove "microsoft " and add spaces between capitalized words.
severity security_result.severity Direct mapping. Converted to uppercase.
sourceMaterials[] security_result.url_back_to_product, about[].url The first element in sourceMaterials is mapped to security_result.url_back_to_product. Subsequent elements are mapped to about[].url.
status security_result.detection_fields[].value The value of status is placed in a detection_fields object with the corresponding key "Status".
tenantId metadata.product_deployment_id Direct mapping.
threatDisplayName security_result.threat_name Direct mapping.
threatFamilyName security_result.threat_feed_name Direct mapping.
title security_result.rule_name Direct mapping.
userStates[].aadUserId principal.user.product_object_id, target.user.product_object_id, about[].user.userid Mapped to principal.user.product_object_id or target.user.product_object_id depending on the context. Also mapped to about[].user.userid for subsequent elements in userStates.
userStates[].accountName target.user.user_display_name, about[].user.user_display_name Mapped to target.user.user_display_name for the first element in userStates. Subsequent elements are mapped to about[].user.user_display_name.
userStates[].domainName target.administrative_domain, about[].administrative_domain Mapped to target.administrative_domain for the first element in userStates. Subsequent elements are mapped to about[].administrative_domain.
userStates[].emailRole network.email.from, network.email.to, about[].email Used to determine whether userPrincipalName should be mapped to network.email.from or network.email.to. If neither, it's mapped to about[].email.
userStates[].logonIp principal.ip, principal.asset.ip, about[].ip Mapped to principal.ip and principal.asset.ip for the first element in userStates. Subsequent elements are mapped to about[].ip.
userStates[].logonLocation principal.location, about[].location Parsed and mapped to principal.location for the first element in userStates. Subsequent elements are parsed and mapped to about[].location.
userStates[].onPremisesSecurityIdentifier target.user.windows_sid Direct mapping.
userStates[].userPrincipalName target.user.userid, target.user.email_addresses, about[].user.userid, about[].user.email_addresses Mapped to target.user.userid or added to target.user.email_addresses based on whether it's an email address. Subsequent elements are mapped similarly to about[].user.
vendorInformation.provider metadata.product_name Used in conjunction with vendorInformation.subProvider or alone to construct metadata.product_name if productName is empty.
vendorInformation.subProvider metadata.product_name, metadata.product_event_type Used in conjunction with vendorInformation.provider to construct metadata.product_name if productName is empty. Also used as the value for metadata.product_event_type if title is empty.
vendorInformation.vendor metadata.vendor_name Overwrites the default value of "Microsoft" for metadata.vendor_name.

Changes

2024-06-05

  • Handled parsing error.

2024-05-27

  • Removed "incidentWebUrl" from "metadata.ingestion_labels".
  • Mapped "userStates.onPremisesSecurityIdentifier" to "target.user.windows_sid".

2024-05-23

  • Mapped "lastUpdatedDateTime" to "metadata.event_timestamp".

2024-05-20

  • Mapped "classification", "comments.n.comment", "comments.n.createdByDisplayName", and "comments.n.createdDateTime" to "security_result.detection_fields".

2024-05-13

  • When "evidence.@odata.type" is "fileEvidence", then mapped "evidence.fileDetails." fields to "principal.process.file." fields.
  • When "evidence" has only one "deviceEvidence", then mapped "evidence." fields to "principal." fields.
  • When "evidence" does not have "PrimaryDevice" or "source" and has multiple "deviceEvidence" fields, then mapped "evidence." fields to "principal." fields when "evidence.mdeDeviceId" is not null.

2024-04-17

  • Mapped "productName" to "metadata.product_name".
  • Mapped "networkConnection.destinationPort" to "target.port".
  • When "index=1" then mapped "userStates.logonDateTime" to "security_result.first_discovered_time".
  • When "index=0" then mapped "userStates.logonDateTime" to "security_result.last_discovered_time".

2024-04-16

  • Bug-Fix:
  • Mapped "CustomProperties.resourceType" to "target.resource.name".
  • Mapped "CustomProperties.EffectiveAzureResourceId" to "target.resource.product_object_id".
  • Mapped "CustomProperties.ContainerName", "CustomProperties.ContainerImage", "CustomProperties.ObjectName", "CustomProperties.ObjectKind", "CustomProperties.CompromisedEntity", and "CustomProperties.namespace" to "target.resource.labels".

2024-04-15

  • Bug-Fix:
  • When "evidence.@data.type" contains "deviceEvidence" and "evidence.detailedRoles" contains "PrimaryDevice", then mapped "evidence." details to "principal.".
  • When "evidence.role" contains "destination", then mapped "evidence." details to "target."
  • When "evidence.role" contains "source", then mapped "evidence." details to "principal."
  • When "evidence.@data.type" contains "userEvidence", then mapped "evidence.userAccount." fields to "principal.user." fields.
  • Mapped "assignedTo", "resolvedDateTime" to "security_result.detection_fields".

2024-03-25

  • Changed mapping of "detectionSource", "detectorId", "determination" and "incidentId" from "metadata.ingestion_labels" to "security_result.detection_fields".

2024-02-23

  • Bug-Fix:
  • Changed mapping of "createdDateTime" from "metadata.event_timestamp" to "metadata.collected_timestamp".
  • Mapped "firstActivityDateTime" to "metadata.event_timestamp".
  • Aligned "principal/target.ip/hostname" to "principal/target.asset.ip/hostname".
  • Removed mapping of "detectorId" to "metadata.product_log_id" and mapped "id" to "metadata.product_log_id".
  • Mapped "detectorId" to "metadata.ingestion_labels".

2024-01-12

  • Mapped "hostname" from "description" to "principal.hostname".
  • When "title" is "Activity from an anonymous proxy", added a new Grok pattern to parse "description" with two IP addresses.
  • Mapped "principal_ip1" to "principal.ip".

2023-12-06

  • Fix:
  • Added a check for "title" removing a unicode character for "Email messages containing malicious URL removed after delivery".

2023-12-06

  • Mapped username from "userNameLoop.userPrincipalName" to "target.user.userid".

2023-11-27

  • Mapped hostname from "networkConnection.destinationUrl" to "target.hostname".
  • When "evidence.@odata.type" is "processEvidence", then mapped "evidence.imageFile.fileName" to "principal.process.file.names".
  • When "evidence.@odata.type" is "processEvidence", then mapped "evidenceimageFile.filePath"\"evidence.imageFile.fileName" to "principal.process.file.full_path".
  • When "evidence.@odata.type" is "processEvidence", then mapped "evidence.parentProcessImageFile.fileName" to "principal.process.parent_process.file.names".
  • When "evidence.@odata.type" is "processEvidence", then mapped "evidence.parentProcessImageFile.filePath"\evidence.parentProcessImageFile.fileName" to "principal.process.parent_process.file.full_path".

2023-09-15

  • Fix :
  • Changed mapping of "title" to "security_result.rule_name" from "security_result.summary".
  • Changed mapping of "category" to "security_result.summary" from "security_result.rule_name".
  • Mapped "target.user.userid", "target.user.email_addresses" correctly to match "network.email.to".

2023-08-31

  • Mapped "threatDisplayName" to "security_result.category_details" where "serviceSource" is "microsoftDefenderForEndpoint".

2023-08-16

  • Mapped "security_result.attack_details.technique_id" based on "subtechnique_id".

2023-07-21

  • Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".

2023-05-19

  • Added an 'on_error' check to "userNameLoop.userPrincipalName" JSON filter.
  • Added check for "principal_ip" to UDM.
  • Added a regular expression check to "email" prior mapping to "security_result.about.user.email_addresses". If it is not an email address, mapped it to "security_result.about.user.user_display_name".
  • Added a regular expression check to "evidencedata.subject" prior mapping to "network.email.from".
  • Added a null check to "evidencedata.subject" prior mapping to "network.email.subject".
  • Added "security_result.attack_details.techniques" and "security_result.attack_details.tactics" according to "title".

2023-04-19

  • Added a for loop to map "userNameLoop.userPrincipalName" if it is an array of emails.
  • Added a Grok pattern check to "hostname" prior mapping to "about.hostname".

2023-04-06

  • Added regular expression check to "evidencedata.primaryAddress" prior mapping.
  • Mapped "category" to "security_result.threat_name" if "threatDisplayName" is null.

2023-03-26

  • Enhancement -
  • Mapped "CustomProperties.Compromised Host" to "principal.hostname".
  • Mapped "CustomProperties.Attacker IP" to "principal.ip".
  • Mapped "CustomProperties.Victim IP" to "target.ip".
  • Mapped "CustomProperties.Attacked Port" to "target.port".
  • Mapped "CustomProperties.Attacked Protocol" to "network.application_protocol".
  • Mapped "CustomProperties.Number of Connections", "CustomProperties.Business Impact", "CustomProperties.resourceType" to "security_result.detection_fields".

2023-03-09

  • Enhancement -
  • Dropped non-JSON (malformed) logs.
  • Mapped "lastModifiedDateTime" to "metadata.event_timestamp".
  • Mapped "vendorInformation.provider:vendorInformation.subProvider" to "metadata.product_name".
  • Modified "metadata.event_type" to "GENERIC_EVENT" when both "principal_user_userid" and "target" is null.
  • Mapped "alertWebUrl" to "metadata.url_back_to_product" instead of "network.http.referral_url".
  • Mapped "incidentWebUrl" to "security_result.url_back_to_product" and "metadata.ingestion_label" instead of "target.url".
  • Mapped "evidencedata.processCommandLine" to "principal.process.command_line".

2023-02-28

  • Customer Issue -
  • Modified mapping of "aadUserId" to "principal.user.product_object_id" from "principal.user.userid".

2023-02-27

  • Bug Fix -
  • Mapped "evidence.deviceDnsName" to "principal.hostname".
  • Mapped "evidence.mdeDeviceId" to "principal.resource.product_object_id".
  • Mapped "evidencedata.ipAddress" to "principal.ip".
  • Mapped "evidencedata.primaryAddress" to "principal.user.email_addresses".
  • If evidence data type is "cloudApplicationEvidence" then mapped following:
  • "evidencedata.displayName" to "target.application".
  • "evidencedata.instanceId" to "target.resource.product_object_id".
  • "evidencedata.instanceName" to "target.resource.name".
  • "evidencedata.appId", "evidencedata.saasAppId" to "target.resource.attribute.labels".
  • If evidence data type is "oauthApplicationEvidence" then mapped following:
  • "evidencedata.displayName" to "target.application".
  • "evidencedata.objectId" to "target.resource.product_object_id".
  • "evidencedata.appId", "evidencedata.publisher" to "target.resource.attribute.labels".
  • If evidence data type is "analyzedMessageEvidence" then mapped following:
  • "evidencedata.antiSpamDirection" to "network.direction".
  • "evidencedata.recipientEmailAddress" to "network.email.from".
  • "evidencedata.senderIp" to "principal.ip".
  • "evidencedata.subject" to "network.email.subject".
  • Mapped "evidencedata.imageFile.filePath\evidencedata.imageFile.fileName" to "intermediary.process.file.full_path".
  • Mapped "evidencedata.userAccount.accountName" to "intermediary.user.user_display_name".
  • Mapped "evidencedata.userAccount.azureAdUserId" to "intermediary.user.userid".
  • Mapped "evidencedata.userAccount.userSid" to "intermediary.user.windows_sid".
  • Mapped "evidencedata.userAccount.domainName" to "intermediary.administrative_domain".
  • Mapped "evidencedata.processId" to "intermediary.process.pid".
  • Mapped "evidencedata.parentProcessId" to "intermediary.process.parent_process.pid".
  • Mapped "evidencedata.parentProcessImageFile.fileSize" to "intermediary.process.parent_process.file.size".
  • Mapped "evidencedata.processCommandLine" to "intermediary.process.command_line".
  • Mapped "evidencedata.url" to "intermediary.url".
  • If evidence data type is "registryKeyEvidence" then mapped following:
  • "evidencedata.registryKey" to "intermediary.registry.registry_key".
  • "evidencedata.registryHive" to "intermediary.registry.registry_value_data".
  • If evidence data type is "registryValueEvidence" then mapped following:
  • "evidencedata.registryKey" to "intermediary.registry.registry_key".
  • "evidencedata.registryValue" to "intermediary.registry.registry_value_data".
  • "evidencedata.registryValueName" to "intermediary.registry.registry_value_name".

2023-02-24

  • Customer Issue -
  • Mapped "vendorInformation.provider" to "metadata.product_name" if "service_source" is null.

2023-02-13

  • Customer Issue -
  • Removed else condition and facilitated mapping of 'principal.user.userid' and 'target.user.userid'.

2023-01-25

  • Bug Fix -
  • Mapped "metadata.vendor_name" to "Microsoft".
  • Mapped "serviceSource" to "metadata.product_name".
  • Mapped "threatFamilyName" to "security_result.threat_feed_name".
  • Mapped following when 2 or more file data occurred in log:
  • Mapped "evidence.fileDetails.filePath"\"evidencedata.fileDetails.fileName" to "intermediary.process.file.full_path".
  • Mapped "evidence.fileDetails.fileSize" to "intermediary.process.file.size".
  • Mapped "evidence.fileDetails.sha1" to "intermediary.process.file.sha1".
  • Mapped "evidence.fileDetails.sha256" to "intermediary.process.file.sha256".

2022-12-27

  • Enhancement -
  • Mapped "aadUserId" to "target.user.product_object_id".
  • Mapped "status" to "security_result.detection_fields".
  • Added gsub for "fileState.path".

2022-12-15

  • Enhancement -
  • Mapped "aadUserId" to "principal.user.userid".
  • Added condition for "userPrincipalName" to check for "userid" or "user.email_addresses".

2022-11-25

  • Enhancement -
  • Mapped "azureTenantId" to "metadata.product_deployment_id" instead of "security_result.about.asset.attribute.cloud.project.product_object_id".

2022-11-23

  • Bug Fix -
  • Modified metadata.event_timestamp.
  • Added on_error statement for "description".

2022-10-31

  • Enhancement -
  • Added support for v2 Alert API logs and added following mappings.
  • Mapped "createdDateTime" to "metadata.event_timestamp".
  • Mapped "recommendedActions" to "security_result.action_details".
  • Mapped "threatDisplayName" to "security_result.threat_name".
  • Mapped "assignedTo" to "target.user.userid".
  • Mapped "evidence.loggedOnUsers.0.accountName" to "principal.user.userid".
  • Mapped "evidence.loggedOnUsers.0.domainName" to "principal.hostname".
  • Mapped "evidence.fileDetails.filePath"\"evidencedata.fileDetails.fileName" to "target.process.file.full_path".
  • Mapped "evidence.fileDetails.fileSize" to "target.process.file.size".
  • Mapped "evidence.fileDetails.sha1" to "target.process.file.sha1".
  • Mapped "evidence.fileDetails.sha256" to "target.process.file.sha256".
  • Mapped "alertWebUrl" to "network.http.referral_url".
  • Mapped "incidentWebUrl" to "target.url".
  • Mapped "classification" to "metadata.product_event_type".
  • Mapped "detectorId" to "metadata.product_log_id".
  • Mapped "detectionSource" to "metadata.ingestion_labels".
  • Mapped "determination" to "metadata.ingestion_labels".
  • Mapped "incidentId" to "metadata.ingestion_labels".
  • Mapped "serviceSource" to "metadata.ingestion_labels".
  • Mapped "tenantId" to "metadata.ingestion_labels".

2022-10-11

  • Enhancement - Modified grok pattern to parse value of "userStates.userPrincipalName" and mapped it to "target.user.userid".
  • Added condition to check if target field is present then map "metadata.event_type" to "USER_LOGIN" else map it to "USER_UNCATEGORIZED".
  • Modified "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE/USER_UNCATEGORIZED" wherever possible.
  • Added on_error statement for "hostname".

2022-06-07

  • Enhancement - If fileState.fileHash.hashValue is not empty, metadata.event_type is mapped to SCAN_FILE.