Change log for MICROSOFT_GRAPH_ALERT
| Date | Changes |
|---|---|
| 2024-09-06 | - Updated parser logic to map all values of the "sourceMaterials" field to the "security_result.url_back_to_product" UDM field.
|
| 2024-08-30 | - Updated the mapping of "recipientEmailAddress" raw log field from "network.email.from" to "principal.network.email.to".
- Mapped "p2sender.emailAddress" and "p1sender.emailAddress" to the "security_result.about.network.from" UDM field. - Mapped "deliveryAction" and "deliveryLocation" with the "security_result.detection_fields" UDM field. |
| 2024-08-09 | - Added mapping of "fileStates.fileHash.hashType", "userStates.emailRole", "azureSubscriptionId" and "malwareStates.family" raw log fields.
- Mapped "eventDateTime" log field with the "additional.fields" when the value of "createdDateTime" is not empty. - Updated the parser logic to parse the fields of the first object in "userStates" with the "target" noun and the fields of the remaining objects with the "about" noun. - Changed mapping of "firstActivityDateTime" from "security_result.detection_fields" to "security_result.first_discovered_time". - Changed mapping of "lastActivityDateTime" from "security_result.detection_fields" to "security_result.last_discovered_time". - Changed mapping of "lastUpdateDateTime" from "security_result.detection_fields" to "security_result.last_updated_time". - Populated the "principal.asset.platform_software" related fields into "principal.platform," "principal.platform_patch_level," and "principal.platform_version". - Changed mapping of "mdeDeviceId" from "security_result.detection_fields" to "principal.asset_id" and "principal.asset.asset_id". - Changed mapping of "evidence.vmMetadata.vmId" from "principal.asset.asset_id" to "principal.asset.attribute.labels". - Changed mapping of "azureAdDeviceId" from "principal.asset.asset_id" to "security_result.detection_fields". |
| 2024-07-17 | Enhancement:
- Changed mapping of the "createdDateTime" from "metadata.collected_timestamp" to "metadata.event_timestamp". - Changed mapping of the "firstActivityDateTime", "lastUpdatedDateTime" and "lastModifiedDateTime" from "metadata.event_timestamp" to "security_result.detection_fields". - Mapped "ipInterfaces" to "principal.ip" and "principal.asset.ip" UDM fields. - Included fileName component for all the "full_path" UDM fields. - Mapped "osPlatform" to "principal.asset.attribute.labels" with key name "os_platform". - Updated principal.asset.platform_software.platform logic to map the "IOS" and "ANDROID" enums. - Mapped "metadata.event_type" to "SCAN_HOST" for "Conteban malware was detected", "Fuerboos malware was detected", "EncDoc malware was prevented", "Malware was detected in an iso disc image file". |
| 2024-06-19 | Enhancement:
- Added mapping for the deviceEvidence object fields. - Updated the mapping for the processEvidence, userEvidence, urlEvidence object fields. |
| 2024-06-14 | Enhancement:
- Mapped "userNameLoop.userPrincipalName" to "target.user.userid". |
| 2024-06-12 | - Handled grok pattern to parse the correct hostname.
- Handled parsing error. |
| 2024-06-05 | - Handled parsing error.
|
| 2024-05-27 | Enhancement:
- Removed "incidentWebUrl" from "metadata.ingestion_labels". - Mapped "userStates.onPremisesSecurityIdentifier" to "target.user.windows_sid". |
| 2024-05-23 | Enhancement:
- Mapped "lastUpdatedDateTime" to "metadata.event_timestamp". |
| 2024-05-20 | Enhancement:
- Mapped "classification", "comments.n.comment", "comments.n.createdByDisplayName", and "comments.n.createdDateTime" to "security_result.detection_fields". |
| 2024-05-13 | Enhancement:
- When "evidence.@odata.type" is "fileEvidence", then mapped "evidence.fileDetails.*" fields to "principal.process.file.*" fields. - When "evidence" has only one "deviceEvidence", then mapped "evidence.*" fields to "principal.*" fields. - When "evidence" does not have "PrimaryDevice" or "source" and has multiple "deviceEvidence" fields, then mapped "evidence.*" fields to "principal.*" fields when "evidence.mdeDeviceId" is not null. |
| 2024-04-17 | Enhancement:
- Mapped "productName" to "metadata.product_name". - Mapped "networkConnection.destinationPort" to "target.port". - When "index=1" then mapped "userStates.logonDateTime" to "security_result.first_discovered_time". - When "index=0" then mapped "userStates.logonDateTime" to "security_result.last_discovered_time". |
| 2024-04-16 | Bug-Fix:
- Mapped "CustomProperties.resourceType" to "target.resource.name". - Mapped "CustomProperties.EffectiveAzureResourceId" to "target.resource.product_object_id". - Mapped "CustomProperties.ContainerName", "CustomProperties.ContainerImage", "CustomProperties.ObjectName", "CustomProperties.ObjectKind", "CustomProperties.CompromisedEntity", and "CustomProperties.namespace" to "target.resource.labels". |
| 2024-04-15 | Bug-Fix:
- When "evidence.@data.type" contains "deviceEvidence" and "evidence.detailedRoles" contains "PrimaryDevice", then mapped "evidence.*" details to "principal.*". - When "evidence.role" contains "destination", then mapped "evidence.*" details to "target.*" - When "evidence.role" contains "source", then mapped "evidence.*" details to "principal.*" - When "evidence.@data.type" contains "userEvidence", then mapped "evidence.userAccount.*" fields to "principal.user.*" fields. - Mapped "assignedTo", "resolvedDateTime" to "security_result.detection_fields". |
| 2024-03-25 | Enhancement:
- Changed mapping of "detectionSource", "detectorId", "determination" and "incidentId" from "metadata.ingestion_labels" to "security_result.detection_fields". |
| 2024-02-23 | Bug-Fix:
- Changed mapping of "createdDateTime" from "metadata.event_timestamp" to "metadata.collected_timestamp". - Mapped "firstActivityDateTime" to "metadata.event_timestamp". - Aligned "principal/target.ip/hostname" to "principal/target.asset.ip/hostname". - Removed mapping of "detectorId" to "metadata.product_log_id" and mapped "id" to "metadata.product_log_id". - Mapped "detectorId" to "metadata.ingestion_labels". |
| 2024-01-12 | Enhancement:
- Mapped "hostname" from "description" to "principal.hostname". - When "title" is "Activity from an anonymous proxy", added a new Grok pattern to parse "description" with two IP addresses. - Mapped "principal_ip1" to "principal.ip". |
| 2023-12-06 | Enhancement:
- Mapped username from "userNameLoop.userPrincipalName" to "target.user.userid". |
| 2023-12-06 | Enhancement:
- Mapped username from "userNameLoop.userPrincipalName" to "target.user.userid". |
| 2023-11-27 | Enhancement:
- Mapped hostname from "networkConnection.destinationUrl" to "target.hostname". - When "evidence.@odata.type" is "processEvidence", then mapped "evidence.imageFile.fileName" to "principal.process.file.names". - When "evidence.@odata.type" is "processEvidence", then mapped "evidenceimageFile.filePath"\\"evidence.imageFile.fileName" to "principal.process.file.full_path". - When "evidence.@odata.type" is "processEvidence", then mapped "evidence.parentProcessImageFile.fileName" to "principal.process.parent_process.file.names". - When "evidence.@odata.type" is "processEvidence", then mapped "evidence.parentProcessImageFile.filePath"\\evidence.parentProcessImageFile.fileName" to "principal.process.parent_process.file.full_path". |
| 2023-09-15 | Fix :
- Changed mapping of "title" to "security_result.rule_name" from "security_result.summary". - Changed mapping of "category" to "security_result.summary" from "security_result.rule_name". - Mapped "target.user.userid", "target.user.email_addresses" correctly to match "network.email.to". |
| 2023-08-31 | - Mapped "threatDisplayName" to "security_result.category_details" where "serviceSource" is "microsoftDefenderForEndpoint".
|
| 2023-08-16 | - Mapped "security_result.attack_details.technique_id" based on "subtechnique_id".
|
| 2023-07-21 | - Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".
|
| 2023-05-19 | - Added an 'on_error' check to "userNameLoop.userPrincipalName" JSON filter.
- Added check for "principal_ip" to UDM. - Added a regular expression check to "email" prior mapping to "security_result.about.user.email_addresses". If it is not an email address, mapped it to "security_result.about.user.user_display_name". - Added a regular expression check to "evidencedata.subject" prior mapping to "network.email.from". - Added a null check to "evidencedata.subject" prior mapping to "network.email.subject". - Added "security_result.attack_details.techniques" and "security_result.attack_details.tactics" according to "title". |
| 2023-04-19 | - Added a for loop to map "userNameLoop.userPrincipalName" if it is an array of emails.
- Added a Grok pattern check to "hostname" prior mapping to "about.hostname". |
| 2023-04-06 | - Added regular expression check to "evidencedata.primaryAddress" prior mapping.
- Mapped "category" to "security_result.threat_name" if "threatDisplayName" is null. |
| 2023-03-26 | Enhancement -
- Mapped "CustomProperties.Compromised Host" to "principal.hostname". - Mapped "CustomProperties.Attacker IP" to "principal.ip". - Mapped "CustomProperties.Victim IP" to "target.ip". - Mapped "CustomProperties.Attacked Port" to "target.port". - Mapped "CustomProperties.Attacked Protocol" to "network.application_protocol". - Mapped "CustomProperties.Number of Connections", "CustomProperties.Business Impact", "CustomProperties.resourceType" to "security_result.detection_fields". |
| 2023-03-09 | Enhancement -
- Dropped non-JSON (malformed) logs. - Mapped "lastModifiedDateTime" to "metadata.event_timestamp". - Mapped "vendorInformation.provider:vendorInformation.subProvider" to "metadata.product_name". - Modified "metadata.event_type" to "GENERIC_EVENT" when both "principal_user_userid" and "target" is null. - Mapped "alertWebUrl" to "metadata.url_back_to_product" instead of "network.http.referral_url". - Mapped "incidentWebUrl" to "security_result.url_back_to_product" and "metadata.ingestion_label" instead of "target.url". - Mapped "evidencedata.processCommandLine" to "principal.process.command_line". |
| 2023-02-28 | Customer Issue -
- Modified mapping of "aadUserId" to "principal.user.product_object_id" from "principal.user.userid". |
| 2023-02-27 | Bug Fix -
- Mapped "evidence.deviceDnsName" to "principal.hostname". - Mapped "evidence.mdeDeviceId" to "principal.resource.product_object_id". - Mapped "evidencedata.ipAddress" to "principal.ip". - Mapped "evidencedata.primaryAddress" to "principal.user.email_addresses". - If evidence data type is "cloudApplicationEvidence" then mapped following: - "evidencedata.displayName" to "target.application". - "evidencedata.instanceId" to "target.resource.product_object_id". - "evidencedata.instanceName" to "target.resource.name". - "evidencedata.appId", "evidencedata.saasAppId" to "target.resource.attribute.labels". - If evidence data type is "oauthApplicationEvidence" then mapped following: - "evidencedata.displayName" to "target.application". - "evidencedata.objectId" to "target.resource.product_object_id". - "evidencedata.appId", "evidencedata.publisher" to "target.resource.attribute.labels". - If evidence data type is "analyzedMessageEvidence" then mapped following: - "evidencedata.antiSpamDirection" to "network.direction". - "evidencedata.recipientEmailAddress" to "network.email.from". - "evidencedata.senderIp" to "principal.ip". - "evidencedata.subject" to "network.email.subject". - Mapped "evidencedata.imageFile.filePath\\evidencedata.imageFile.fileName" to "intermediary.process.file.full_path". - Mapped "evidencedata.userAccount.accountName" to "intermediary.user.user_display_name". - Mapped "evidencedata.userAccount.azureAdUserId" to "intermediary.user.userid". - Mapped "evidencedata.userAccount.userSid" to "intermediary.user.windows_sid". - Mapped "evidencedata.userAccount.domainName" to "intermediary.administrative_domain". - Mapped "evidencedata.processId" to "intermediary.process.pid". - Mapped "evidencedata.parentProcessId" to "intermediary.process.parent_process.pid". - Mapped "evidencedata.parentProcessImageFile.fileSize" to "intermediary.process.parent_process.file.size". - Mapped "evidencedata.processCommandLine" to "intermediary.process.command_line". - Mapped "evidencedata.url" to "intermediary.url". - If evidence data type is "registryKeyEvidence" then mapped following: - "evidencedata.registryKey" to "intermediary.registry.registry_key". - "evidencedata.registryHive" to "intermediary.registry.registry_value_data". - If evidence data type is "registryValueEvidence" then mapped following: - "evidencedata.registryKey" to "intermediary.registry.registry_key". - "evidencedata.registryValue" to "intermediary.registry.registry_value_data". - "evidencedata.registryValueName" to "intermediary.registry.registry_value_name". |
| 2023-02-24 | Customer Issue -
- Mapped "vendorInformation.provider" to "metadata.product_name" if "service_source" is null. |
| 2023-02-13 | Customer Issue -
- Removed else condition and facilitated mapping of 'principal.user.userid' and 'target.user.userid'. |
| 2023-01-25 | Bug Fix -
- Mapped "metadata.vendor_name" to "Microsoft". - Mapped "serviceSource" to "metadata.product_name". - Mapped "threatFamilyName" to "security_result.threat_feed_name". - Mapped following when 2 or more file data occurred in log: - Mapped "evidence.fileDetails.filePath"\\"evidencedata.fileDetails.fileName" to "intermediary.process.file.full_path". - Mapped "evidence.fileDetails.fileSize" to "intermediary.process.file.size". - Mapped "evidence.fileDetails.sha1" to "intermediary.process.file.sha1". - Mapped "evidence.fileDetails.sha256" to "intermediary.process.file.sha256". |
| 2022-12-27 | Enhancement -
- Mapped "aadUserId" to "target.user.product_object_id". - Mapped "status" to "security_result.detection_fields". - Added gsub for "fileState.path". |
| 2022-12-15 | Enhancement -
- Mapped "aadUserId" to "principal.user.userid". - Added condition for "userPrincipalName" to check for "userid" or "user.email_addresses". |
| 2022-11-25 | Enhancement -
- Mapped "azureTenantId" to "metadata.product_deployment_id" instead of "security_result.about.asset.attribute.cloud.project.product_object_id". |
| 2022-11-23 | Bug Fix -
- Modified metadata.event_timestamp. - Added on_error statement for "description". |
| 2022-10-31 | Enhancement -
- Added support for v2 Alert API logs and added following mappings. - Mapped "createdDateTime" to "metadata.event_timestamp". - Mapped "recommendedActions" to "security_result.action_details". - Mapped "threatDisplayName" to "security_result.threat_name". - Mapped "assignedTo" to "target.user.userid". - Mapped "evidence.loggedOnUsers.0.accountName" to "principal.user.userid". - Mapped "evidence.loggedOnUsers.0.domainName" to "principal.hostname". - Mapped "evidence.fileDetails.filePath"\\"evidencedata.fileDetails.fileName" to "target.process.file.full_path". - Mapped "evidence.fileDetails.fileSize" to "target.process.file.size". - Mapped "evidence.fileDetails.sha1" to "target.process.file.sha1". - Mapped "evidence.fileDetails.sha256" to "target.process.file.sha256". - Mapped "alertWebUrl" to "network.http.referral_url". - Mapped "incidentWebUrl" to "target.url". - Mapped "classification" to "metadata.product_event_type". - Mapped "detectorId" to "metadata.product_log_id". - Mapped "detectionSource" to "metadata.ingestion_labels". - Mapped "determination" to "metadata.ingestion_labels". - Mapped "incidentId" to "metadata.ingestion_labels". - Mapped "serviceSource" to "metadata.ingestion_labels". - Mapped "tenantId" to "metadata.ingestion_labels". |
| 2022-10-11 | Enhancement - Modified grok pattern to parse value of "userStates.userPrincipalName" and mapped it to "target.user.userid".
- Added condition to check if target field is present then map "metadata.event_type" to "USER_LOGIN" else map it to "USER_UNCATEGORIZED". - Modified "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE/USER_UNCATEGORIZED" wherever possible. - Added on_error statement for "hostname". |
| 2022-06-07 | Enhancement - If fileState.fileHash.hashValue is not empty, metadata.event_type is mapped to SCAN_FILE.
|