Change log for WINDOWS_DEFENDER_ATP
| Date | Changes |
|---|---|
| 2024-03-05 | - Mapped "metadata.entity_type" to "ASSET" for logs having asset information.
- Mapped "properties.DeviceId" to "entity.asset.asset_id". |
| 2023-12-08 | Bug-fix:
- Fixed the mapping of "properties.InitiatingProcessFolderPath" to "principal.process.file.full_path". |
| 2023-11-25 | Enhancement:
- Mapped "AdditionalFields" and "properties.AdditionalFields" to "principal.resource.attribute.labels". - Mapped "tenantId" to "resource_ancestors.product_object_id". |
| 2023-10-12 | Enhancement -
- Spell corrected from "FileUploadedCloud" to "FileUploadedToCloud" while checking "properties.ActionType" value. - Mapped "properties.IPAddress" to "principal.ip". - Mapped "properties.RawEventData.Sha1" to "principal.process.file.sha1". - Mapped "properties.RawEventData.Sha256" to "principal.process.file.sha256". - Mapped "properties.RawEventData.FileSize" to "principal.process.file.size". - Added validation check to "properties.SenderFromAddress" and "properties.RawEventData.UserId" prior mapping to UDM fields. |
| 2023-10-09 | Enhancement:
- Mapped 'properties.ObjectId' to 'additional.fields'. - Mapped 'properties.RawEventData.Pid' to 'target.process.pid'. - Added condition for "Delete NetworkSecurityGroups" Action type for failing logs. - Added regex to parse "properties.SenderFromAddress" field. |
| 2023-09-20 | Enhancement -
- Mapped 'properties.RegistryValueData' to 'target.registry.registry_value_data'. - Mapped 'properties.RegistryValueName' to 'target.registry.registry_value_name'. - Mapped 'properties.PreviousRegistryValueName' to "target.resource.attribute.labels" when "properties.RegistryValueName" is also present. - Mapped 'properties.PreviousRegistryValueData' to "target.resource.attribute.labels" when "properties.RegistryValueData" is also present. |
| 2023-09-04 | Enhancement -
- Mapped 'properties.RegistryValueData' to 'target.registry.registry_value_data'. - Mapped 'properties.RegistryValueName' to 'target.registry.registry_value_name'. - Mapped 'properties.PreviousRegistryValueName' to "target.resource.attribute.labels" when "properties.RegistryValueName" is also present. - Mapped 'properties.PreviousRegistryValueData' to "target.resource.attribute.labels" when "properties.RegistryValueData" is also present. - For 'properties.ActionType' in "SearchPreviewed", "FileUploadedCloud", mapped following fields: - 'properties.ApplicationId' mapped to 'additional.fields'. - 'properties.AccountDisplayName' mapped to 'principal.user.user_display_name'. - 'properties.AccountObjectId' mapped to 'principal.user.userid'. - 'properties.RawEventData.UserId' mapped to 'principal.user.email_addresses'. - 'properties.RawEventData.ObjectId' mapped to 'additional.fields'. - 'properties.RawEventData.ExchangeLocations' mapped to 'security_result.category_details'. - 'properties.RawEventData.TargetDomain' mapped to 'target.hostname'. - 'properties.RawEventData.Query' mapped to 'additional.fields'. - Mapped additional fields for 'AdvancedHunting-DeviceProcessEvents': - 'properties.InitiatingProcessSignerType' mapped to 'additional.fields'. - 'properties.InitiatingProcessSignatureStatus' mapped to 'additional.fields'. - 'properties.ProcessVersionInfoProductName' mapped to 'additional.fields'. - 'properties.InitiatingProcessVersionInfoProductName' mapped to 'additional.fields'. - 'properties.ProcessVersionInfoCompanyName' mapped to 'principal.user.company_name'. |
| 2023-06-06 | Enhancement -
- Mapped "properties.Url" mapped to "target.url". - Mapped "properties.UrlDomain" mapped to "target.hostname". - Mapped "properties.UrlLocation" mapped to "additional.fields". |
| 2023-03-01 | Enhancement -
Mapped "properties.InitiatingProcessVersionInfoCompanyName" to "principal.user.company_name". Mapped "properties.InitiatingProcessVersionInfoProductVersion" to "metadata.product_version". Mapped "properties.InitiatingProcessVersionInfoInternalFileName" to "principal.resource.attribute.labels". Mapped "properties.InitiatingProcessVersionInfoOriginalFileName" to "principal.resource.attribute.labels". Mapped "properties.properties.InitiatingProcessVersionInfoFileDescription" to "principal.resource.attribute.labels". Mapped "properties.AlertId" to "metadata.product_log_id". Added a regular expression condition check for the "properties.InitiatingProcessAccountUpn" field. Added an on_error check for the "target.hostname" block. |
| 2022-12-20 | Bug-fix -
- Added on_error check for "properties.AdditionalFields" to reduce flakiness. - Added condition for "Write NetworkSecurityGroups", "Edit NetworkSecurityGroups" and "FileModifiedExtended" Action type for failing logs. |
| 2022-10-20 | Enhancement -
Mapped "properties.ReportId" to "target.resource.product_object_id". Mapped "properties.DeviceId" to "principal.asset_id". |
| 2022-09-20 | Enhancement - Merged customer specific parsers to default.
|
| 2022-07-29 | Enhancement - Parsed the logs with EventID's:- "2006","2004","2033","2005","2008","0".
- Added support for new previously unparsed JSON format logs. |