Collect Microsoft Graph security API alert logs
This document describes how you can collect Microsoft Graph security API alerts logs by setting up a Google Security Operations feed.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the MICROSOFT_GRAPH_ALERT
ingestion label.
Configure Microsoft Graph security API alerts
- Sign in to the Azure portal.
- Click Azure Active Directory.
- Click App Registrations.
- Click New registrations and create an application.
- Copy Client ID and Tenant ID, which are required when you configure the Google Security Operations feed.
- Click API permissions.
- Click Add a permission and then select Microsoft Graph in the new pane.
- Click Application Permissions.
- Expand the SecurityActions and SecurityEvents sections, and select Read.All permissions.
- Click Add permissions.
- Click Grant Admin consent for Default Directory.
- In the Manage menu, click Certificates & secrets.
- Click New Client secret, and create a new key.
- Copy the secret key from the Value field. The secret key is displayed only at the time of creation and is required when you configure the Google Security Operations feed.
Configure a Google Security Operations feed to ingest Microsoft Graph Security API alert logs
- Go to SIEM Settings > Feeds.
- Click Add New.
- Enter a unique name for the Field Name.
- Select Third party API as the Source Type.
- Select Microsoft Graph API Alerts as the Log Type.
- Click Next.
- Configure the following mandatory input parameters:
- OAuth Client ID: specify the client ID that you obtained previously.
- OAuth Client Secret: specify the client secret that you obtained previously.
- TenantId: specify the tenant ID that you obtained previously.
- API Full Path: specify the following path:
graph.microsoft.com/v1.0/security/alerts
. - API Authentication Endpoint: specify the following endpoint:
https://login.microsoftonline.com/{tenantId}/oauth2/token
- Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.
If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser transforms Microsoft Graph Alerts (JSON) into the Chronicle UDM. It extracts fields, maps them to UDM, handles nested structures like userStates
, processes
, and networkConnections
, enriches data with MITRE ATT&CK mappings, and performs specific logic based on the alert title and description for accurate representation in Chronicle.
UDM Mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
assignedTo |
security_result.detection_fields[].value |
The value of assignedTo is placed in a detection_fields object with the corresponding key "assignedTo". |
azureTenantId |
metadata.product_deployment_id |
Direct mapping. |
category |
security_result.summary |
Direct mapping. Also used as the value for metadata.product_event_type if no other value is present. |
classification |
security_result.detection_fields[].value |
The value of classification is placed in a detection_fields object with the corresponding key "classification". Also used as the value for metadata.product_event_type if no other value is present. |
clientApplication |
vendorInformation.provider |
Used as the value for vendorInformation.provider if the original vendorInformation.provider is empty. |
cloudAppStates[].destinationServiceName |
target.application (index 0), about[].application (subsequent indices) |
The destinationServiceName of the first element in cloudAppStates is mapped to target.application . Subsequent elements are mapped to about[].application . |
comments[].comment |
security_result.detection_fields[].value |
The value of each comment in comments is placed in a detection_fields object with the corresponding key "comment {index}". |
comments[].createdByDisplayName |
security_result.detection_fields[].value |
The value of each createdByDisplayName in comments is placed in a detection_fields object with the corresponding key "createdByDisplayName {index}". |
comments[].createdDateTime |
security_result.detection_fields[].value |
The value of each createdDateTime in comments is placed in a detection_fields object with the corresponding key "createdDateTime {index}". |
compromisedEntity |
principal.hostname , principal.asset.hostname |
Used as the value for principal.hostname and principal.asset.hostname if CustomProperties is present. |
createdDateTime |
metadata.collected_timestamp |
Parsed as a timestamp and mapped. |
CustomProperties |
Various | Parsed as JSON and used to populate several UDM fields, including principal.hostname , principal.ip , target.ip , target.port , network.application_protocol , and security_result.detection_fields[] . Specific logic for each field is detailed in the parser code. |
description |
security_result.description , metadata.description |
Direct mapping to security_result.description . Also mapped to metadata.description if present. Used to extract principal.hostname if it matches specific patterns. |
detectorId |
security_result.detection_fields[].value |
The value of detectorId is placed in a detection_fields object with the corresponding key "detectorId". |
determination |
security_result.detection_fields[].value |
The value of determination is placed in a detection_fields object with the corresponding key "determination". |
detectionSource |
security_result.detection_fields[].value |
The value of detectionSource is placed in a detection_fields object with the corresponding key "detectionSource". |
eventDateTime |
metadata.event_timestamp |
Parsed as a timestamp and mapped. Used as fallback for event_time if firstActivityDateTime and properties.detectedTimeUtc are not present. |
evidence[] |
Various | Parsed as JSON and used to populate several UDM fields, primarily related to principal , target , and intermediary objects. Specific logic for each field is detailed in the parser code. |
fileStates[].fileHash.hashValue |
target.file.sha1 , target.file.sha256 , about[].file.sha1 , about[].file.sha256 |
Mapped to the appropriate SHA hash field based on hashType . |
fileStates[].name |
target.file.full_path (part), about[].file.full_path (part) |
Used in conjunction with path to construct the full_path for target.file or about[].file . |
fileStates[].path |
target.file.full_path , about[].file.full_path |
Used in conjunction with name to construct the full_path for target.file or about[].file . |
firstActivityDateTime |
event_time |
Parsed as a timestamp and mapped. Used as preferred value for event_time if present. |
hostStates[].fqdn |
target.hostname , target.asset.hostname , about[].hostname |
Mapped to target.hostname and target.asset.hostname for the first element in hostStates . Subsequent elements are mapped to about[].hostname . |
hostStates[].netBiosName |
target.hostname , target.asset.hostname , about[].hostname |
Used as fallback for hostname if fqdn is not present. |
hostStates[].os |
target.platform , target.asset.platform_software.platform , about[].platform |
Mapped to the appropriate platform value (WINDOWS, LINUX, MAC) based on the value of os . |
hostStates[].privateIpAddress |
target.ip , target.asset.ip , about[].ip |
Mapped to target.ip and target.asset.ip for the first element in hostStates . Subsequent elements are mapped to about[].ip . |
hostStates[].publicIpAddress |
target.ip , target.asset.ip , about[].ip |
Mapped to target.ip and target.asset.ip for the first element in hostStates . Subsequent elements are mapped to about[].ip . |
id |
metadata.product_log_id |
Direct mapping. |
incidentId |
security_result.detection_fields[].value |
The value of incidentId is placed in a detection_fields object with the corresponding key "incidentId". |
incidentWebUrl |
security_result.url_back_to_product |
Direct mapping. |
lastModifiedDateTime |
metadata.event_timestamp |
Parsed as a timestamp and mapped. Used as fallback for event_time if other timestamp fields are not present. |
lastUpdateDateTime |
security_result.detection_fields[].value , event_time |
The value of lastUpdateDateTime is placed in a detection_fields object with the corresponding key "lastUpdateDateTime". Also parsed as a timestamp and mapped to event_time if present. |
malwareStates[].name |
security_result.threat_name |
Direct mapping. |
mitreTechniques[] |
security_result.attack_details.techniques[] , security_result.attack_details.tactics[] |
Used to populate security_result.attack_details.techniques[] and security_result.attack_details.tactics[] based on MITRE mappings. |
name |
idm.read_only_udm.security_result.rule_name |
Used as the value for security_result.rule_name if title is empty. |
networkConnections[].destinationPort |
target.port (index 0) |
Mapped for the first element in networkConnections . Converted to an integer. |
networkConnections[].destinationUrl |
target.hostname , target.asset.hostname , about[].url |
Used to extract the hostname and map it to target.hostname and target.asset.hostname for the first element in networkConnections . Subsequent elements are mapped to about[].url . |
networkConnections[].protocol |
network.ip_protocol |
Converted to uppercase and mapped. |
networkConnections[].sourceAddress |
principal.ip , principal.asset.ip , about[].ip |
Mapped to principal.ip and principal.asset.ip for the first element in networkConnections . Subsequent elements are mapped to about[].ip . |
networkConnections[].sourceLocation |
principal.location , about[].location |
Parsed and mapped to principal.location for the first element in networkConnections . Subsequent elements are parsed and mapped to about[].location . |
processes[] |
target.process , about[].process |
Used to populate fields related to target.process for the first element in processes . Subsequent elements are mapped to about[].process . |
productName |
metadata.product_name |
Direct mapping. |
properties.alertDisplayName |
security_result.rule_name |
Used as the value for security_result.rule_name if title is empty. |
properties.alertName |
security_result.summary |
Used as the value for security_result.summary if category is empty. Also used as the value for security_result.rule_name if both title and properties.alertName are empty. |
properties.detectedTimeUtc |
event_time |
Parsed as a timestamp and mapped. Used as fallback for event_time if firstActivityDateTime is not present. |
properties.description |
security_result.description |
Used as the value for security_result.description if the original description is empty. |
properties.extendedProperties.'client Application' |
vendorInformation.provider |
Used as the value for vendorInformation.provider if the original vendorInformation.provider is empty. |
properties.extendedProperties.'client Hostname' |
principal.hostname |
Direct mapping. |
properties.extendedProperties.'client IP Address' |
principal.ip , principal.asset.ip |
Direct mapping. |
properties.extendedProperties.'client Principal Name' |
target.user.userid , security_result.about.user.email_addresses |
Mapped to target.user.userid . If it's an email address, it's also added to security_result.about.user.email_addresses . |
properties.remediationSteps |
security_result.action_details |
Direct mapping. |
properties.reportedSeverity |
security_result.severity |
Used as the value for security_result.severity if the original severity is empty. Converted to uppercase. |
properties.state |
security_result.detection_fields[].value |
The value of properties.state is placed in a detection_fields object with the corresponding key "Status". |
recommendedActions |
security_result.action_details |
Used to construct security_result.action_details by concatenating all elements. Also used as the value for security_result.action_details if the original recommendedActions is not an array. |
resolvedDateTime |
security_result.detection_fields[].value |
The value of resolvedDateTime is placed in a detection_fields object with the corresponding key "resolvedDateTime". |
securityResources[].resource |
security_result.about.resource.name |
Direct mapping. |
securityResources[].resourceType |
security_result.about.resource.resource_subtype |
Direct mapping. |
serviceSource |
metadata.product_name |
Used to construct metadata.product_name if productName and vendorInformation.provider are empty. The value is parsed to remove "microsoft " and add spaces between capitalized words. |
severity |
security_result.severity |
Direct mapping. Converted to uppercase. |
sourceMaterials[] |
security_result.url_back_to_product , about[].url |
The first element in sourceMaterials is mapped to security_result.url_back_to_product . Subsequent elements are mapped to about[].url . |
status |
security_result.detection_fields[].value |
The value of status is placed in a detection_fields object with the corresponding key "Status". |
tenantId |
metadata.product_deployment_id |
Direct mapping. |
threatDisplayName |
security_result.threat_name |
Direct mapping. |
threatFamilyName |
security_result.threat_feed_name |
Direct mapping. |
title |
security_result.rule_name |
Direct mapping. |
userStates[].aadUserId |
principal.user.product_object_id , target.user.product_object_id , about[].user.userid |
Mapped to principal.user.product_object_id or target.user.product_object_id depending on the context. Also mapped to about[].user.userid for subsequent elements in userStates . |
userStates[].accountName |
target.user.user_display_name , about[].user.user_display_name |
Mapped to target.user.user_display_name for the first element in userStates . Subsequent elements are mapped to about[].user.user_display_name . |
userStates[].domainName |
target.administrative_domain , about[].administrative_domain |
Mapped to target.administrative_domain for the first element in userStates . Subsequent elements are mapped to about[].administrative_domain . |
userStates[].emailRole |
network.email.from , network.email.to , about[].email |
Used to determine whether userPrincipalName should be mapped to network.email.from or network.email.to . If neither, it's mapped to about[].email . |
userStates[].logonIp |
principal.ip , principal.asset.ip , about[].ip |
Mapped to principal.ip and principal.asset.ip for the first element in userStates . Subsequent elements are mapped to about[].ip . |
userStates[].logonLocation |
principal.location , about[].location |
Parsed and mapped to principal.location for the first element in userStates . Subsequent elements are parsed and mapped to about[].location . |
userStates[].onPremisesSecurityIdentifier |
target.user.windows_sid |
Direct mapping. |
userStates[].userPrincipalName |
target.user.userid , target.user.email_addresses , about[].user.userid , about[].user.email_addresses |
Mapped to target.user.userid or added to target.user.email_addresses based on whether it's an email address. Subsequent elements are mapped similarly to about[].user . |
vendorInformation.provider |
metadata.product_name |
Used in conjunction with vendorInformation.subProvider or alone to construct metadata.product_name if productName is empty. |
vendorInformation.subProvider |
metadata.product_name , metadata.product_event_type |
Used in conjunction with vendorInformation.provider to construct metadata.product_name if productName is empty. Also used as the value for metadata.product_event_type if title is empty. |
vendorInformation.vendor |
metadata.vendor_name |
Overwrites the default value of "Microsoft" for metadata.vendor_name . |
Changes
2024-06-05
- Handled parsing error.
2024-05-27
- Removed "incidentWebUrl" from "metadata.ingestion_labels".
- Mapped "userStates.onPremisesSecurityIdentifier" to "target.user.windows_sid".
2024-05-23
- Mapped "lastUpdatedDateTime" to "metadata.event_timestamp".
2024-05-20
- Mapped "classification", "comments.n.comment", "comments.n.createdByDisplayName", and "comments.n.createdDateTime" to "security_result.detection_fields".
2024-05-13
- When "evidence.@odata.type" is "fileEvidence", then mapped "evidence.fileDetails." fields to "principal.process.file." fields.
- When "evidence" has only one "deviceEvidence", then mapped "evidence." fields to "principal." fields.
- When "evidence" does not have "PrimaryDevice" or "source" and has multiple "deviceEvidence" fields, then mapped "evidence." fields to "principal." fields when "evidence.mdeDeviceId" is not null.
2024-04-17
- Mapped "productName" to "metadata.product_name".
- Mapped "networkConnection.destinationPort" to "target.port".
- When "index=1" then mapped "userStates.logonDateTime" to "security_result.first_discovered_time".
- When "index=0" then mapped "userStates.logonDateTime" to "security_result.last_discovered_time".
2024-04-16
- Bug-Fix:
- Mapped "CustomProperties.resourceType" to "target.resource.name".
- Mapped "CustomProperties.EffectiveAzureResourceId" to "target.resource.product_object_id".
- Mapped "CustomProperties.ContainerName", "CustomProperties.ContainerImage", "CustomProperties.ObjectName", "CustomProperties.ObjectKind", "CustomProperties.CompromisedEntity", and "CustomProperties.namespace" to "target.resource.labels".
2024-04-15
- Bug-Fix:
- When "evidence.@data.type" contains "deviceEvidence" and "evidence.detailedRoles" contains "PrimaryDevice", then mapped "evidence." details to "principal.".
- When "evidence.role" contains "destination", then mapped "evidence." details to "target."
- When "evidence.role" contains "source", then mapped "evidence." details to "principal."
- When "evidence.@data.type" contains "userEvidence", then mapped "evidence.userAccount." fields to "principal.user." fields.
- Mapped "assignedTo", "resolvedDateTime" to "security_result.detection_fields".
2024-03-25
- Changed mapping of "detectionSource", "detectorId", "determination" and "incidentId" from "metadata.ingestion_labels" to "security_result.detection_fields".
2024-02-23
- Bug-Fix:
- Changed mapping of "createdDateTime" from "metadata.event_timestamp" to "metadata.collected_timestamp".
- Mapped "firstActivityDateTime" to "metadata.event_timestamp".
- Aligned "principal/target.ip/hostname" to "principal/target.asset.ip/hostname".
- Removed mapping of "detectorId" to "metadata.product_log_id" and mapped "id" to "metadata.product_log_id".
- Mapped "detectorId" to "metadata.ingestion_labels".
2024-01-12
- Mapped "hostname" from "description" to "principal.hostname".
- When "title" is "Activity from an anonymous proxy", added a new Grok pattern to parse "description" with two IP addresses.
- Mapped "principal_ip1" to "principal.ip".
2023-12-06
- Fix:
- Added a check for "title" removing a unicode character for "Email messages containing malicious URL removed after delivery".
2023-12-06
- Mapped username from "userNameLoop.userPrincipalName" to "target.user.userid".
2023-11-27
- Mapped hostname from "networkConnection.destinationUrl" to "target.hostname".
- When "evidence.@odata.type" is "processEvidence", then mapped "evidence.imageFile.fileName" to "principal.process.file.names".
- When "evidence.@odata.type" is "processEvidence", then mapped "evidenceimageFile.filePath"\"evidence.imageFile.fileName" to "principal.process.file.full_path".
- When "evidence.@odata.type" is "processEvidence", then mapped "evidence.parentProcessImageFile.fileName" to "principal.process.parent_process.file.names".
- When "evidence.@odata.type" is "processEvidence", then mapped "evidence.parentProcessImageFile.filePath"\evidence.parentProcessImageFile.fileName" to "principal.process.parent_process.file.full_path".
2023-09-15
- Fix :
- Changed mapping of "title" to "security_result.rule_name" from "security_result.summary".
- Changed mapping of "category" to "security_result.summary" from "security_result.rule_name".
- Mapped "target.user.userid", "target.user.email_addresses" correctly to match "network.email.to".
2023-08-31
- Mapped "threatDisplayName" to "security_result.category_details" where "serviceSource" is "microsoftDefenderForEndpoint".
2023-08-16
- Mapped "security_result.attack_details.technique_id" based on "subtechnique_id".
2023-07-21
- Added MITRE ATT&CK tactic and technique details mapping to "security_result.attack_details".
2023-05-19
- Added an 'on_error' check to "userNameLoop.userPrincipalName" JSON filter.
- Added check for "principal_ip" to UDM.
- Added a regular expression check to "email" prior mapping to "security_result.about.user.email_addresses". If it is not an email address, mapped it to "security_result.about.user.user_display_name".
- Added a regular expression check to "evidencedata.subject" prior mapping to "network.email.from".
- Added a null check to "evidencedata.subject" prior mapping to "network.email.subject".
- Added "security_result.attack_details.techniques" and "security_result.attack_details.tactics" according to "title".
2023-04-19
- Added a for loop to map "userNameLoop.userPrincipalName" if it is an array of emails.
- Added a Grok pattern check to "hostname" prior mapping to "about.hostname".
2023-04-06
- Added regular expression check to "evidencedata.primaryAddress" prior mapping.
- Mapped "category" to "security_result.threat_name" if "threatDisplayName" is null.
2023-03-26
- Enhancement -
- Mapped "CustomProperties.Compromised Host" to "principal.hostname".
- Mapped "CustomProperties.Attacker IP" to "principal.ip".
- Mapped "CustomProperties.Victim IP" to "target.ip".
- Mapped "CustomProperties.Attacked Port" to "target.port".
- Mapped "CustomProperties.Attacked Protocol" to "network.application_protocol".
- Mapped "CustomProperties.Number of Connections", "CustomProperties.Business Impact", "CustomProperties.resourceType" to "security_result.detection_fields".
2023-03-09
- Enhancement -
- Dropped non-JSON (malformed) logs.
- Mapped "lastModifiedDateTime" to "metadata.event_timestamp".
- Mapped "vendorInformation.provider:vendorInformation.subProvider" to "metadata.product_name".
- Modified "metadata.event_type" to "GENERIC_EVENT" when both "principal_user_userid" and "target" is null.
- Mapped "alertWebUrl" to "metadata.url_back_to_product" instead of "network.http.referral_url".
- Mapped "incidentWebUrl" to "security_result.url_back_to_product" and "metadata.ingestion_label" instead of "target.url".
- Mapped "evidencedata.processCommandLine" to "principal.process.command_line".
2023-02-28
- Customer Issue -
- Modified mapping of "aadUserId" to "principal.user.product_object_id" from "principal.user.userid".
2023-02-27
- Bug Fix -
- Mapped "evidence.deviceDnsName" to "principal.hostname".
- Mapped "evidence.mdeDeviceId" to "principal.resource.product_object_id".
- Mapped "evidencedata.ipAddress" to "principal.ip".
- Mapped "evidencedata.primaryAddress" to "principal.user.email_addresses".
- If evidence data type is "cloudApplicationEvidence" then mapped following:
- "evidencedata.displayName" to "target.application".
- "evidencedata.instanceId" to "target.resource.product_object_id".
- "evidencedata.instanceName" to "target.resource.name".
- "evidencedata.appId", "evidencedata.saasAppId" to "target.resource.attribute.labels".
- If evidence data type is "oauthApplicationEvidence" then mapped following:
- "evidencedata.displayName" to "target.application".
- "evidencedata.objectId" to "target.resource.product_object_id".
- "evidencedata.appId", "evidencedata.publisher" to "target.resource.attribute.labels".
- If evidence data type is "analyzedMessageEvidence" then mapped following:
- "evidencedata.antiSpamDirection" to "network.direction".
- "evidencedata.recipientEmailAddress" to "network.email.from".
- "evidencedata.senderIp" to "principal.ip".
- "evidencedata.subject" to "network.email.subject".
- Mapped "evidencedata.imageFile.filePath\evidencedata.imageFile.fileName" to "intermediary.process.file.full_path".
- Mapped "evidencedata.userAccount.accountName" to "intermediary.user.user_display_name".
- Mapped "evidencedata.userAccount.azureAdUserId" to "intermediary.user.userid".
- Mapped "evidencedata.userAccount.userSid" to "intermediary.user.windows_sid".
- Mapped "evidencedata.userAccount.domainName" to "intermediary.administrative_domain".
- Mapped "evidencedata.processId" to "intermediary.process.pid".
- Mapped "evidencedata.parentProcessId" to "intermediary.process.parent_process.pid".
- Mapped "evidencedata.parentProcessImageFile.fileSize" to "intermediary.process.parent_process.file.size".
- Mapped "evidencedata.processCommandLine" to "intermediary.process.command_line".
- Mapped "evidencedata.url" to "intermediary.url".
- If evidence data type is "registryKeyEvidence" then mapped following:
- "evidencedata.registryKey" to "intermediary.registry.registry_key".
- "evidencedata.registryHive" to "intermediary.registry.registry_value_data".
- If evidence data type is "registryValueEvidence" then mapped following:
- "evidencedata.registryKey" to "intermediary.registry.registry_key".
- "evidencedata.registryValue" to "intermediary.registry.registry_value_data".
- "evidencedata.registryValueName" to "intermediary.registry.registry_value_name".
2023-02-24
- Customer Issue -
- Mapped "vendorInformation.provider" to "metadata.product_name" if "service_source" is null.
2023-02-13
- Customer Issue -
- Removed else condition and facilitated mapping of 'principal.user.userid' and 'target.user.userid'.
2023-01-25
- Bug Fix -
- Mapped "metadata.vendor_name" to "Microsoft".
- Mapped "serviceSource" to "metadata.product_name".
- Mapped "threatFamilyName" to "security_result.threat_feed_name".
- Mapped following when 2 or more file data occurred in log:
- Mapped "evidence.fileDetails.filePath"\"evidencedata.fileDetails.fileName" to "intermediary.process.file.full_path".
- Mapped "evidence.fileDetails.fileSize" to "intermediary.process.file.size".
- Mapped "evidence.fileDetails.sha1" to "intermediary.process.file.sha1".
- Mapped "evidence.fileDetails.sha256" to "intermediary.process.file.sha256".
2022-12-27
- Enhancement -
- Mapped "aadUserId" to "target.user.product_object_id".
- Mapped "status" to "security_result.detection_fields".
- Added gsub for "fileState.path".
2022-12-15
- Enhancement -
- Mapped "aadUserId" to "principal.user.userid".
- Added condition for "userPrincipalName" to check for "userid" or "user.email_addresses".
2022-11-25
- Enhancement -
- Mapped "azureTenantId" to "metadata.product_deployment_id" instead of "security_result.about.asset.attribute.cloud.project.product_object_id".
2022-11-23
- Bug Fix -
- Modified metadata.event_timestamp.
- Added on_error statement for "description".
2022-10-31
- Enhancement -
- Added support for v2 Alert API logs and added following mappings.
- Mapped "createdDateTime" to "metadata.event_timestamp".
- Mapped "recommendedActions" to "security_result.action_details".
- Mapped "threatDisplayName" to "security_result.threat_name".
- Mapped "assignedTo" to "target.user.userid".
- Mapped "evidence.loggedOnUsers.0.accountName" to "principal.user.userid".
- Mapped "evidence.loggedOnUsers.0.domainName" to "principal.hostname".
- Mapped "evidence.fileDetails.filePath"\"evidencedata.fileDetails.fileName" to "target.process.file.full_path".
- Mapped "evidence.fileDetails.fileSize" to "target.process.file.size".
- Mapped "evidence.fileDetails.sha1" to "target.process.file.sha1".
- Mapped "evidence.fileDetails.sha256" to "target.process.file.sha256".
- Mapped "alertWebUrl" to "network.http.referral_url".
- Mapped "incidentWebUrl" to "target.url".
- Mapped "classification" to "metadata.product_event_type".
- Mapped "detectorId" to "metadata.product_log_id".
- Mapped "detectionSource" to "metadata.ingestion_labels".
- Mapped "determination" to "metadata.ingestion_labels".
- Mapped "incidentId" to "metadata.ingestion_labels".
- Mapped "serviceSource" to "metadata.ingestion_labels".
- Mapped "tenantId" to "metadata.ingestion_labels".
2022-10-11
- Enhancement - Modified grok pattern to parse value of "userStates.userPrincipalName" and mapped it to "target.user.userid".
- Added condition to check if target field is present then map "metadata.event_type" to "USER_LOGIN" else map it to "USER_UNCATEGORIZED".
- Modified "metadata.event_type" from "GENERIC_EVENT" to "STATUS_UPDATE/USER_UNCATEGORIZED" wherever possible.
- Added on_error statement for "hostname".
2022-06-07
- Enhancement - If fileState.fileHash.hashValue is not empty, metadata.event_type is mapped to SCAN_FILE.