Change log for MICROSOFT_DEFENDER_ENDPOINT

Date Changes
2024-12-11 Enhancement:
- Added a Grok pattern to map "ReportId" to "metadata.product_log_id".
- Added "gsub" to map "properties.ReportId" to "metadata.product_log_id".
2024-11-28 Enhancement:
- When "ActionType" is either "RegistryValueDeleted" or "RegistryKeyDeleted", then mapped "properties.PreviousRegistryKey" to "target.registry.registry_key".
- When "ActionType" is either "RegistryValueDeleted" or "RegistryKeyDeleted", then mapped "properties.PreviousRegistryValueName" to "target.registry.registry_value_name".
- When "ActionType" is either "RegistryValueDeleted" or "RegistryKeyDeleted", then mapped "metadata.event_type" to "REGISTRY_DELETION".
2024-11-21 Enhancement:
- Mapped "properties.LogonType" to "extensions.auth.mechanism".
2024-11-14 Enhancement:
- When the "category" field is either "AdvancedHunting-DeviceNetworkInfo" or "AdvancedHunting-DeviceInfo", then mapped the corresponding fields to "entity.records".
2024-11-14 Enhancement:
- When the "category" field is either "AdvancedHunting-DeviceNetworkInfo" or "AdvancedHunting-DeviceInfo", then mapped the corresponding fields to "entity.records".
2024-10-31 Enhancement:
- Added "gsub" to support a new pattern of JSON logs.
2024-10-22 Enhancement:
- Added support to parse new format of unparsed JSON logs.
2024-09-24 Enhancement:
- Mapped "properties.InitiatingProcessVersionInfoProductName" to "additional.fields".
- Mapped "properties.InitiatingProcessVersionInfoCompanyName" to "principal.user.company_name".
- Mapped "properties.InitiatingProcessVersionInfoProductVersion" to "metadata.product_version".
- Mapped "properties.InitiatingProcessVersionInfoInternalFileName", "properties.InitiatingProcessVersionInfoOriginalFileName", and "properties.InitiatingProcessVersionInfoFileDescription" to "principal.resource.attribute.labels".
- Mapped "InitiatingProcess_IntegrityLevel" and "InitiatingProcess_TokenElevation" to "about.labels".
- Mapped "rec.properties.ActionType" to "security_result.summary".
- Mapped "metadata.vendor_name" to "Microsoft".
- Mapped "InitiatingProcess_FolderPath" to "principal.process.file.full_path".
- Mapped "record.properties.FileSize" to "target.process.file.size".
- Mapped "record.properties.DeviceId" to "principal.asset.asset_id" and "principal.asset_id".
2024-07-11 Enhancement:
- Added support to handle JSON logs.
2024-07-02 - Updated parser to support System header.
2024-07-01 Enhancement:
- Mapped "_AdditionalFields.Recipient" to "network.email.to".
- Mapped "_AdditionalFields.Sender" to "network.email.from".
- Mapped "_AdditionalFields.Subject" to "network.email.subject".
- Mapped "_AdditionalFields.SenderIP" to "principal.ip" and "principal.asset.ip".
- When "has_email_info" is true, then set "metadata.event_type" to "EMAIL_TRANSACTION".
2024-05-21 Bug-Fix:
- Mapped "properties.FailureReason" to "security_result.description".
2024-05-02 Bug-Fix:
- Added conditional check for event_type "FILE_DELETION" and "FILE_MODIFICATION".
2024-04-29 Bug-Fix:
- Modified a Grok pattern to parse the entire value to the "target.file.full_path" field.
2024-04-25 Enhancements:
- Mapped "properties.appliedConditionalAccessPolicies.result", "properties.correlationId", "properties.authenticationProcessingDetails", "properties.networkLocationDetails", and "properties.authenticationDetails" to "security_result.detection_fields".
- Mapped "properties.appliedConditionalAccessPolicies.displayName" to "security_result.rule_name".
- Mapped "properties.appliedConditionalAccessPolicies.id" to "security_result.rule_id".
- Mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id" and "principal.asset_id".
- Mapped "properties.userType", "properties.userType", "properties.homeTenantId", "properties.riskLevelAggregated", "properties.riskLevelDuringSignIn", "properties.riskState", "properties.riskDetail", and "properties.clientCredentialType" to "additional.fields".
- Mapped "properties.location.city" to "principal.location.city".
- Mapped "properties.location.state" to "principal.location.state".
- Mapped "properties.location.countryOrRegion" to "principal.location.country_or_region".
- Mapped "properties.location.geoCoordinates.latitude" to "principal.location.region_coordinates.latitude".
- Mapped "properties.location.geoCoordinates.longitude" to "principal.location.region_coordinates.longitude".
- Mapped "properties.appId" to "target.resource.attribute.labels".
- Mapped "identity" to "principal.user.userid".
- Mapped "properties.userId" to "target.user.product_object_id".
- Mapped "properties.userDisplayName" to "target.user.user_display_name".
- Mapped "properties.userPrincipalName" to "principal.user.email_addresses".
- Mapped "properties.userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent".
2024-04-12 Enhancement:
- Added a gsub function to format invalid JSON to be valid JSON log.
2024-03-28 Changed mapping for additional fields to relevant fields.
2024-03-25 Enhancement:
- Added a gsub to format invalid JSON to be valid JSON log.
2024-03-07 Added mapping for additional fields.
2024-02-22 BugFix:
- When "category" is "AdvancedHunting-DeviceImageLoadEvents", then mapped "target.process.file.*" fields to "target.file.*" fields.
- When "properties.ActionType" is "FileDeleted", then mapped "metadata.event_type" to "FILE_DELETION".
2023-10-12 Enhancements:
- Modified mappings from using deprecated UDM fields to the following alternative fields:
- Added mapping of "properties.ServiceSource", "properties.DetectionSource", and "properties.AttackTechniques" to "security_result.about.resource.attribute.labels".
- Added mapping of "observer.cloud.project.id" to "target.resource_ancestors.product_object_id".
- Added mapping of "WasExecutingWhileDetected", "properties.IsLocalAdmin", "properties.InitiatingProcessTokenElevation","properties.labels_InitiatingProcessIntegrityLevel", and "properties.RemoteIPType" to "principal.resource.attribute.labels".
- Mapped "process.AdditionalFields", "InitiatingProcessPosixEffectiveUser", "InitiatingProcessPosixEffectiveGroup", "InitiatingProcessPosixRealUser", "ProcessPosixEffectiveUser", "ProcessPosixFileUserOwner", "InitiatingProcessPosixFilePermissions", and "ProcessPosixFilePermissions" to "principal.resource.attribute.labels".
- Mapped "process.AdditionalFields" to "entity.resource.attribute.labels" for the category "AdvancedHunting-DeviceInfo" and "AdvancedHunting-DeviceNetworkInfo".
2023-08-02 Enhancement-
- Mapped "DeviceId" to "principal.asset_id".
- Mapped "DeviceName" to "principal.hostname".
- Mapped "OSPlatform" to "principal.asset.platform_software.platform".
- Mapped "OSVersion","OSArchitecture" to "principal.asset.platform_software.platform_version".
- Mapped "properties.OSArchitecture" to "principal.asset.platform_software.platform_version".
- Mapped "SoftwareVendor" to "principal.asset.software.vendor_name".
- Mapped "SoftwareName" to "principal.asset.software.name".
- Mapped "SoftwareVersion" to "principal.asset.software.version".
- Mapped "CveId" to "extensions.vulns.vulnerabilities.cve_id".
- Mapped "VulnerabilitySeverityLevel" to "extensions.vulns.vulnerabilities.severity".
- Mapped "RecommendedSecurityUpdate" to "security_result.detection_fields".
- Mapped "RecommendedSecurityUpdateId" to "security_result.detection_fields".
2023-06-19 - Parserd logs with no entity relation data as "GENERIC_EVENTS" instead of dropping.
- Added regular expression check to "properties.SenderFromAddress" prior mapping to UDM.
2023-06-05 - Mapped "properties.RemoteUrl" to "target.url".
- If "category" is "AdvancedHunting-DeviceFileEvents", mapped the "properties.file" details to "target.file" fields, otherwise mapped it to "target.process.file" fields.
2023-05-23 Enhancement - Mapped "properties.FileOriginUrl" to "principal.url".
- Mapped "properties.FileOriginIP" to "principal.ip".
2023-05-03 Fix -
- Added a gsub to correct "MacAddress" format prior mapping to UDM.
- Mapped "metadata.event_type" to "STATUS_UPDATE" where "properties.ActionType" is "ServiceInstalled" and does not have any of "target.process" fields.
2023-01-15 BugFix -
- Wherever possible, parsed 'AdvancedHunting-DeviceInfo' logs where the 'LoggedOnUsers' field is empty and stored as entities.
2022-10-14 Enhancement -
- Mapped "properties.UrlDomain" to "target.hostname".
- Mapped "properties.Url" to "target.url".
- Mapped "properties.UrlLocation", "OperationName" to "additional.fields".
2022-10-07 Enhancement - Added mapping for unparsed log
- Mapped "metadata.event_type" to "event_type1".
Added condition check for event_type.
2022-09-02 Enhancement -
- Mapped "metadata.event_type" to "REGISTRY_CREATION" where "properties.ActionType" is "RegistryKeyCreated".
2022-08-11 Enhancements-
- Mapped properties.Title to security_result.threat_name.
- Mapped properties.AlertId to metadata.product_log_id.
- Mapped properties.Category to security_result.category_details.
- Mapped properties.Severity to security_result.severity_details.
- Mapped properties.ServiceSource to security_result.about.labels.
- Mapped properties.DetectionSource to security_result.about.labels.
- Mapped properties.AttackTechniques to security_result.about.labels.
- Added a new grok pattern to parse incorrect json format logs with type AlertInfo.
2022-06-02 Enhancement- Following mappings were added and modified.
Mapped DeliveryAction to security_result.action.
Mapped LogonType to extensions.auth.mechanism as INTERACTIVE additionally.
For AdditionalFields.IsLocalLogon, extensions.auth.mechanism has been updated as LOCAL or REMOTE,based on boolean value.
Mapped ReportId to metadata.product_log_id.
Mapped DetectionMethods to security_result.rule_name.
Mapped Severity to security_result.severity and security_result.severity_details.
Mapped category to metadata.product_event_type.
Mapped RemoteUrl to target.url.
Mapped DeviceId to principal.asset_id.
PreviousRegistryValueData, PreviousRegistryKey and PreviousRegistryValueName mapping modified from target to src.
FileType, FileName, SHA256 and FileSize mapping modified to about from target for EmailAttachmentInfo event.
InitiatingProcessFileName appended to InitiatingProcessFolderPath if file name is not present.
SenderFromAddress additionally mapped to principal.user.product_object_id.
InitiatingProcessAccountSid mapped to principal.user.windows_sid.
InitiatingProcessAccountName mapped to principal.user.userid.
AccountDomain, AccountName, AccountSid mapped to target.user.userid, target.administrative_domain and target.user.windows_sid respectively.
RecipientEmailAddress additionally mapped to target.user.email_addresses.
RecipientObjectId mapped to target.user.product_object_id.
Modified the value stored in metadata.vendor_name to 'Microsoft'.
2022-05-05 Enhancement-
1) Updated parsing logic for AccountName and InitiatingProcessAccountName to map both values to UDM. InitiatingProcessAccountName when populated is mapped to principal.user.userid, and AccountName to target.user.userid.
2022-03-30 Enhancements-
1) For events AdvancedHunting-DeviceNetworkInfo and AdvancedHunting-DeviceInfo :
- Changed mapping for deviceId from 'entity.asset.asset_id' to 'entity.asset.product_object_id'.
- Changed mapping for ReportId from 'entity.asset.product_object_id' to 'entity.asset.attribute.labels'.
2) For all other events:
- Mapped deviceId to 'metadata.product_log_id'.
- Changed mapping for ReportId from 'metadata.product_log_id' to 'about.labels'.