Change log for MICROSOFT_GRAPH_ALERT
| Date | Changes |
|---|---|
| 2024-02-23 | Bug-Fix:
- Changed mapping of "createdDateTime" from "metadata.event_timestamp" to "metadata.collected_timestamp". - Mapped "firstActivityDateTime" to "metadata.event_timestamp". - Aligned "principal/target.ip/hostname" to "principal/target.asset.ip/hostname". - Removed mapping of "detectorId" to "metadata.product_log_id" and mapped "id" to "metadata.product_log_id". - Mapped "detectorId" to "metadata.ingestion_labels". |
| 2024-01-12 | Enhancement:
- Mapped "hostname" from "description" to "principal.hostname". - When "title" is "Activity from an anonymous proxy", added a new Grok pattern to parse "description" with two IP addresses. - Mapped "principal_ip1" to "principal.ip". |
| 2023-12-06 | Enhancement:
- Mapped username from "userNameLoop.userPrincipalName" to "target.user.userid". |
| 2023-12-06 | Enhancement:
- Mapped username from "userNameLoop.userPrincipalName" to "target.user.userid". |
| 2023-11-27 | Enhancement:
- Mapped hostname from "networkConnection.destinationUrl" to "target.hostname". - When "evidence.@odata.type" is "processEvidence", then mapped "evidence.imageFile.fileName" to "principal.process.file.names". - When "evidence.@odata.type" is "processEvidence", then mapped "evidenceimageFile.filePath"\\"evidence.imageFile.fileName" to "principal.process.file.full_path". - When "evidence.@odata.type" is "processEvidence", then mapped "evidence.parentProcessImageFile.fileName" to "principal.process.parent_process.file.names". - When "evidence.@odata.type" is "processEvidence", then mapped "evidence.parentProcessImageFile.filePath"\\evidence.parentProcessImageFile.fileName" to "principal.process.parent_process.file.full_path". |
| 2023-09-15 | Fix :
- Changed mapping of "title" to "security_result.rule_name" from "security_result.summary". - Changed mapping of "category" to "security_result.summary" from "security_result.rule_name". - Mapped "target.user.userid", "target.user.email_addresses" correctly to match "network.email.to". |
| 2023-08-31 | - Mapped "threatDisplayName" to "security_result.category_details" where "serviceSource" is "microsoftDefenderForEndpoint".
|
| 2023-08-16 | - Mapped "security_result.attack_details.technique_id" based on "subtechnique_id".
|
| 2023-07-21 | - Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".
|
| 2023-05-19 | - Added an 'on_error' check to "userNameLoop.userPrincipalName" JSON filter.
- Added check for "principal_ip" to UDM. - Added a regular expression check to "email" prior mapping to "security_result.about.user.email_addresses". If it is not an email address, mapped it to "security_result.about.user.user_display_name". - Added a regular expression check to "evidencedata.subject" prior mapping to "network.email.from". - Added a null check to "evidencedata.subject" prior mapping to "network.email.subject". - Added "security_result.attack_details.techniques" and "security_result.attack_details.tactics" according to "title". |
| 2023-04-19 | - Added a for loop to map "userNameLoop.userPrincipalName" if it is an array of emails.
- Added a Grok pattern check to "hostname" prior mapping to "about.hostname". |
| 2023-04-06 | - Added regular expression check to "evidencedata.primaryAddress" prior mapping.
- Mapped "category" to "security_result.threat_name" if "threatDisplayName" is null. |
| 2023-03-26 | Enhancement -
- Mapped "CustomProperties.Compromised Host" to "principal.hostname". - Mapped "CustomProperties.Attacker IP" to "principal.ip". - Mapped "CustomProperties.Victim IP" to "target.ip". - Mapped "CustomProperties.Attacked Port" to "target.port". - Mapped "CustomProperties.Attacked Protocol" to "network.application_protocol". - Mapped "CustomProperties.Number of Connections", "CustomProperties.Business Impact", "CustomProperties.resourceType" to "security_result.detection_fields". |
| 2023-03-09 | Enhancement -
- Dropped non-JSON (malformed) logs. - Mapped "lastModifiedDateTime" to "metadata.event_timestamp". - Mapped "vendorInformation.provider:vendorInformation.subProvider" to "metadata.product_name". - Modified "metadata.event_type" to "GENERIC_EVENT" when both "principal_user_userid" and "target" is null. - Mapped "alertWebUrl" to "metadata.url_back_to_product" instead of "network.http.referral_url". - Mapped "incidentWebUrl" to "security_result.url_back_to_product" and "metadata.ingestion_label" instead of "target.url". - Mapped "evidencedata.processCommandLine" to "principal.process.command_line". |
| 2023-02-28 | Customer Issue -
- Modified mapping of "aadUserId" to "principal.user.product_object_id" from "principal.user.userid". |
| 2023-02-27 | Bug Fix -
- Mapped "evidence.deviceDnsName" to "principal.hostname". - Mapped "evidence.mdeDeviceId" to "principal.resource.product_object_id". - Mapped "evidencedata.ipAddress" to "principal.ip". - Mapped "evidencedata.primaryAddress" to "principal.user.email_addresses". - If evidence data type is "cloudApplicationEvidence" then mapped following: - "evidencedata.displayName" to "target.application". - "evidencedata.instanceId" to "target.resource.product_object_id". - "evidencedata.instanceName" to "target.resource.name". - "evidencedata.appId", "evidencedata.saasAppId" to "target.resource.attribute.labels". - If evidence data type is "oauthApplicationEvidence" then mapped following: - "evidencedata.displayName" to "target.application". - "evidencedata.objectId" to "target.resource.product_object_id". - "evidencedata.appId", "evidencedata.publisher" to "target.resource.attribute.labels". - If evidence data type is "analyzedMessageEvidence" then mapped following: - "evidencedata.antiSpamDirection" to "network.direction". - "evidencedata.recipientEmailAddress" to "network.email.from". - "evidencedata.senderIp" to "principal.ip". - "evidencedata.subject" to "network.email.subject". - Mapped "evidencedata.imageFile.filePath\\evidencedata.imageFile.fileName" to "intermediary.process.file.full_path". - Mapped "evidencedata.userAccount.accountName" to "intermediary.user.user_display_name". - Mapped "evidencedata.userAccount.azureAdUserId" to "intermediary.user.userid". - Mapped "evidencedata.userAccount.userSid" to "intermediary.user.windows_sid". - Mapped "evidencedata.userAccount.domainName" to "intermediary.administrative_domain". - Mapped "evidencedata.processId" to "intermediary.process.pid". - Mapped "evidencedata.parentProcessId" to "intermediary.process.parent_process.pid". - Mapped "evidencedata.parentProcessImageFile.fileSize" to "intermediary.process.parent_process.file.size". - Mapped "evidencedata.processCommandLine" to "intermediary.process.command_line". - Mapped "evidencedata.url" to "intermediary.url". - If evidence data type is "registryKeyEvidence" then mapped following: - "evidencedata.registryKey" to "intermediary.registry.registry_key". - "evidencedata.registryHive" to "intermediary.registry.registry_value_data". - If evidence data type is "registryValueEvidence" then mapped following: - "evidencedata.registryKey" to "intermediary.registry.registry_key". - "evidencedata.registryValue" to "intermediary.registry.registry_value_data". - "evidencedata.registryValueName" to "intermediary.registry.registry_value_name". |
| 2023-02-24 | Customer Issue -
- Mapped "vendorInformation.provider" to "metadata.product_name" if "service_source" is null. |
| 2023-02-13 | Customer Issue -
- Removed else condition and facilitated mapping of 'principal.user.userid' and 'target.user.userid'. |
| 2023-01-25 | Bug Fix -
- Mapped "metadata.vendor_name" to "Microsoft". - Mapped "serviceSource" to "metadata.product_name". - Mapped "threatFamilyName" to "security_result.threat_feed_name". - Mapped following when 2 or more file data occurred in log: - Mapped "evidence.fileDetails.filePath"\\"evidencedata.fileDetails.fileName" to "intermediary.process.file.full_path". - Mapped "evidence.fileDetails.fileSize" to "intermediary.process.file.size". - Mapped "evidence.fileDetails.sha1" to "intermediary.process.file.sha1". - Mapped "evidence.fileDetails.sha256" to "intermediary.process.file.sha256". |
| 2022-12-27 | Enhancement -
- Mapped "aadUserId" to "target.user.product_object_id". - Mapped "status" to "security_result.detection_fields". - Added gsub for "fileState.path". |
| 2022-12-15 | Enhancement -
- Mapped "aadUserId" to "principal.user.userid". - Added condition for "userPrincipalName" to check for "userid" or "user.email_addresses". |
| 2022-11-25 | Enhancement -
- Mapped "azureTenantId" to "metadata.product_deployment_id" instead of "security_result.about.asset.attribute.cloud.project.product_object_id". |
| 2022-11-23 | Bug Fix -
- Modified metadata.event_timestamp. - Added on_error statement for "description". |
| 2022-10-31 | Enhancement -
- Added support for v2 Alert API logs and added following mappings. - Mapped "createdDateTime" to "metadata.event_timestamp". - Mapped "recommendedActions" to "security_result.action_details". - Mapped "threatDisplayName" to "security_result.threat_name". - Mapped "assignedTo" to "target.user.userid". - Mapped "evidence.loggedOnUsers.0.accountName" to "principal.user.userid". - Mapped "evidence.loggedOnUsers.0.domainName" to "principal.hostname". - Mapped "evidence.fileDetails.filePath"\\"evidencedata.fileDetails.fileName" to "target.process.file.full_path". - Mapped "evidence.fileDetails.fileSize" to "target.process.file.size". - Mapped "evidence.fileDetails.sha1" to "target.process.file.sha1". - Mapped "evidence.fileDetails.sha256" to "target.process.file.sha256". - Mapped "alertWebUrl" to "network.http.referral_url". - Mapped "incidentWebUrl" to "target.url". - Mapped "classification" to "metadata.product_event_type". - Mapped "detectorId" to "metadata.product_log_id". - Mapped "detectionSource" to "metadata.ingestion_labels". - Mapped "determination" to "metadata.ingestion_labels". - Mapped "incidentId" to "metadata.ingestion_labels". - Mapped "serviceSource" to "metadata.ingestion_labels". - Mapped "tenantId" to "metadata.ingestion_labels". |
| 2022-10-11 | Enhancement - Modified grok pattern to parse value of "userStates.userPrincipalName" and mapped it to "target.user.userid".
- Added condition to check if target field is present then map "metadata.event_type" to "USER_LOGIN" else map it to "USER_UNCATEGORIZED". - Modified "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE/USER_UNCATEGORIZED" wherever possible. - Added on_error statement for "hostname". |
| 2022-06-07 | Enhancement - If fileState.fileHash.hashValue is not empty, metadata.event_type is mapped to SCAN_FILE.
|