Collect Microsoft Defender for Identity logs
Supported in:
This document explains how to ingest the Microsoft Defender for Identity logs to Google Security Operations using Azure Storage. The parser processes JSON logs, or CEF formatted logs if the JSON parsing fails. It extracts fields, performs data transformations such as string conversions, renaming, and merging, and maps them to the Unified Data Model (UDM), handling various log formats and enriching the data with additional context like labels and authentication details.
Before you begin
Make sure you have the following prerequisites:
- Google SecOps instance
- active Azure tenant
- Privileged access to Azure and Administrative Security role
Configure Azure Storage account
- In the Azure console, search for Storage accounts.
- Click Create.
- Specify values for the following input parameters:
- Subscription: select the subscription.
- Resource Group: select the resource group.
- Region: select the region.
- Performance: select the type of performance ( Standardrecommended).
- Redundancy: select the type of redundancy ( GRSor LRSrecommended).
- Storage account name: enter a name for the new Storage account.
- Click Review + create.
- Review the overview of the account and click Create.
- From the storage account Overviewpage, select submenu Access keysin Security + networking.
- Click Shownext to key1or key2.
- Click Copy to clipboardto copy the key.
- Save the key in a secure location for future reference.
- From the storage account Overviewpage, select submenu Endpointsin Settings.
- Click Copy to clipboardto copy the Blob serviceendpoint URL. (for example,
https://<storageaccountname>.blob.core.windows.net). - Save the endpoint URL in a secure location for future reference.
- Go to Overview > JSON View.
- Copy and save the Storage Resource ID.
Configure Log Export for Microsoft Defender for Identity
- Sign in to the Defender Portalusing a privileged account.
- Go to Settings.
- Select the Microsoft Defender XDRtab.
- Select Streaming APIfrom the general section and click Add.
- Select Forward events to Azure Storage.
- Provide the following configuration details:
- Name: Enter a unique and meaningful name.
- Select Forward events to Azure Storage.
- Storage Account Resource ID: Enter the Azure Storage resource ID copied earlier.
- Event Types: Select both Alerts & Behaviorsand Devices.
- Click Submit.
Set up feeds
There are two different entry points to set up feeds in the Google SecOps platform:
- SIEM Settings > Feeds > Add New
- Content Hub > Content Packs > Get Started
How to set up the Microsoft Defender for Identity feed
- Click the Microsoft Defenderpack.
-
Specify the following values:
- Source Type: Microsoft Azure Blob Storage V2.
-
Azure uri: the blob endpoint URL.
ENDPOINT_URL/BLOB_NAMEReplace the following:
-
ENDPOINT_URL: the blob endpoint URL. (https://<storageaccountname>.blob.core.windows.net) -
BLOB_NAME: the name of the blob. (such as,insights-logs-<logname>)
-
-
Source deletion options: select deletion option according to your preference.
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
-
Click Create feed.
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
category
|
metadata.log_type
|
The raw log category
field is mapped to metadata.log_type
. |
properties.AccountDisplayName
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AccountName
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AccountUpn
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.ActionType
|
metadata.product_event_type
|
The raw log properties.ActionType
field is mapped to metadata.product_event_type
. |
properties.AdditionalFields.ACTOR.ACCOUNT
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.ACTOR.DEVICE
|
principal.asset.asset_id
|
The parser extracts the value of properties.AdditionalFields.ACTOR.DEVICE
and prepends ASSET ID:
. |
properties.AdditionalFields.ACTOR.ENTITY_USER
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.Count
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.DestinationComputerDnsName
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.DestinationComputerObjectGuid
|
target.asset.product_object_id
|
The first element of the array properties.AdditionalFields.DestinationComputerObjectGuid
is mapped to target.asset.product_object_id
. Subsequent elements are mapped to additional.fields
with keys like DestinationComputerObjectGuid_1
, DestinationComputerObjectGuid_2
, etc. |
properties.AdditionalFields.DestinationComputerOperatingSystem
|
target.asset.platform_software.platform_version
|
The first element of the array properties.AdditionalFields.DestinationComputerOperatingSystem
is mapped to target.asset.platform_software.platform_version
. Subsequent elements are mapped to additional.fields
with keys like DestinationComputerOperatingSystem_1
, DestinationComputerOperatingSystem_2
, etc. |
properties.AdditionalFields.DestinationComputerOperatingSystemType
|
target.asset.platform_software.platform
|
If the value is windows
, the UDM field is set to WINDOWS
. |
properties.AdditionalFields.DestinationComputerOperatingSystemVersion
|
target.platform_version
|
The first element of the array properties.AdditionalFields.DestinationComputerOperatingSystemVersion
is mapped to target.platform_version
. Subsequent elements are mapped to additional.fields
with keys like DestinationComputerOperatingSystemVersion1
, DestinationComputerOperatingSystemVersion2
, etc. |
properties.AdditionalFields.FROM.DEVICE
|
principal.asset.asset_id
|
The parser extracts the value of properties.AdditionalFields.FROM.DEVICE
and prepends ASSET ID:
. |
properties.AdditionalFields.KerberosDelegationType
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.SourceAccountId
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.SourceAccountSid
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.SourceComputerObjectGuid
|
principal.asset.product_object_id
|
The raw log properties.AdditionalFields.SourceComputerObjectGuid
field is mapped to principal.asset.product_object_id
. |
properties.AdditionalFields.SourceComputerOperatingSystem
|
principal.asset.platform_software.platform_version
|
The raw log properties.AdditionalFields.SourceComputerOperatingSystem
field is mapped to principal.asset.platform_software.platform_version
. |
properties.AdditionalFields.SourceComputerOperatingSystemType
|
principal.asset.platform_software.platform_version
|
If the value is windows
, the UDM field is set to WINDOWS
. |
properties.AdditionalFields.SourceComputerOperatingSystemVersion
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.Spns
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.TARGET_OBJECT.ENTITY_USER
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.TARGET_OBJECT.USER
|
target.user.userid
|
The first element of the array properties.AdditionalFields.TARGET_OBJECT.USER
is mapped to target.user.userid
. Subsequent elements are mapped to additional.fields
with keys like TARGET_OBJECT.USER_1
, TARGET_OBJECT.USER_2
, etc. |
properties.AdditionalFields.TO.DEVICE
|
target.asset.asset_id
|
The first element of the array properties.AdditionalFields.TO.DEVICE
is mapped to target.asset.asset_id
with ASSET ID:
prepended. Subsequent elements are mapped to additional.fields
with keys like TODEVICE1
, TODEVICE2
, etc. |
properties.AuthenticationDetails
|
extensions.auth.auth_details
|
The parser removes curly braces, square brackets, and double quotes from the value and prepends AuthenticationDetails:
. |
properties.DeliveryAction
|
additional.fields
|
Mapped with key DeliveryAction
. |
properties.DeliveryLocation
|
additional.fields
|
Mapped with key DeliveryLocation
. |
properties.DestinationDeviceName
|
target.hostname
, target.asset.hostname
|
The raw log properties.DestinationDeviceName
field is mapped to both target.hostname
and target.asset.hostname
. |
properties.DestinationIPAddress
|
target.ip
, target.asset.ip
|
The raw log properties.DestinationIPAddress
field is mapped to both target.ip
and target.asset.ip
. |
properties.DestinationPort
|
target.port
|
The raw log properties.DestinationPort
field is mapped to target.port
. |
properties.DeviceName
|
principal.hostname
, principal.asset.hostname
|
The raw log properties.DeviceName
field is mapped to both principal.hostname
and principal.asset.hostname
. |
properties.EmailClusterId
|
additional.fields
|
Mapped with key EmailClusterId
. |
properties.EmailDirection
|
network.direction
|
If the value is Inbound
, the UDM field is set to INBOUND
. If the value is Outbound
, the UDM field is set to OUTBOUND
. Otherwise, it's set to UNKNOWN_DIRECTION
. |
properties.EmailLanguage
|
additional.fields
|
Mapped with key EmailLanguage
. |
properties.InitiatingProcessAccountDomain
|
principal.administrative_domain
|
The raw log properties.InitiatingProcessAccountDomain
field is mapped to principal.administrative_domain
. |
properties.InitiatingProcessAccountSid
|
principal.user.windows_sid
|
The raw log properties.InitiatingProcessAccountSid
field is mapped to principal.user.windows_sid
. |
properties.InitiatingProcessCommandLine
|
principal.process.command_line
|
The raw log properties.InitiatingProcessCommandLine
field is mapped to principal.process.command_line
. |
properties.InitiatingProcessFileName
|
principal.process.file.full_path
|
Used in combination with properties.InitiatingProcessFolderPath
to construct the full path. If properties.InitiatingProcessFolderPath
already contains the filename, it's used directly. |
properties.InitiatingProcessFolderPath
|
principal.process.file.full_path
|
Used in combination with properties.InitiatingProcessFileName
to construct the full path. |
properties.InitiatingProcessId
|
principal.process.pid
|
The raw log properties.InitiatingProcessId
field is mapped to principal.process.pid
. |
properties.InitiatingProcessIntegrityLevel
|
about.labels
|
Mapped with key InitiatingProcessIntegrityLevel
. |
properties.InitiatingProcessMD5
|
principal.process.file.md5
|
The raw log properties.InitiatingProcessMD5
field is mapped to principal.process.file.md5
. |
properties.InitiatingProcessParentId
|
principal.process.parent_process.pid
|
The raw log properties.InitiatingProcessParentId
field is mapped to principal.process.parent_process.pid
. |
properties.InitiatingProcessParentFileName
|
principal.process.parent_process.file.full_path
|
The raw log properties.InitiatingProcessParentFileName
field is mapped to principal.process.parent_process.file.full_path
. |
properties.InitiatingProcessSHA1
|
principal.process.file.sha1
|
The raw log properties.InitiatingProcessSHA1
field is mapped to principal.process.file.sha1
. |
properties.InitiatingProcessSHA256
|
principal.process.file.sha256
|
The raw log properties.InitiatingProcessSHA256
field is mapped to principal.process.file.sha256
. |
properties.InitiatingProcessTokenElevation
|
about.labels
|
Mapped with key InitiatingProcessTokenElevation
. |
properties.InternetMessageId
|
additional.fields
|
The parser removes angle brackets and maps the value with key InternetMessageId
. |
properties.IPAddress
|
principal.ip
, principal.asset.ip
|
The raw log properties.IPAddress
field is mapped to both principal.ip
and principal.asset.ip
. |
properties.LogonType
|
extensions.auth.mechanism
|
Used to derive the value for extensions.auth.mechanism
. |
properties.Port
|
principal.port
|
The raw log properties.Port
field is mapped to principal.port
. |
properties.PreviousRegistryKey
|
src.registry.registry_key
|
The raw log properties.PreviousRegistryKey
field is mapped to src.registry.registry_key
. |
properties.PreviousRegistryValueData
|
src.registry.registry_value_data
|
The raw log properties.PreviousRegistryValueData
field is mapped to src.registry.registry_value_data
. |
properties.PreviousRegistryValueName
|
src.registry.registry_value_name
|
The raw log properties.PreviousRegistryValueName
field is mapped to src.registry.registry_value_name
. |
properties.Query
|
principal.user.attribute.labels
|
Mapped with key LDAP Search Scope
. |
properties.RecipientEmailAddress
|
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.RegistryKey
|
target.registry.registry_key
|
The raw log properties.RegistryKey
field is mapped to target.registry.registry_key
. |
properties.RegistryValueData
|
target.registry.registry_value_data
|
The raw log properties.RegistryValueData
field is mapped to target.registry.registry_value_data
. |
properties.RegistryValueName
|
target.registry.registry_value_name
|
The raw log properties.RegistryValueName
field is mapped to target.registry.registry_value_name
. |
properties.ReportId
|
about.labels
|
Mapped with key ReportId
. |
properties.SenderIPv4
|
principal.ip
, principal.asset.ip
|
The raw log properties.SenderIPv4
field is mapped to both principal.ip
and principal.asset.ip
. |
properties.SenderMailFromAddress
|
principal.user.attribute.labels
|
Mapped with key SenderMailFromAddress
. |
properties.SenderMailFromDomain
|
principal.user.attribute.labels
|
Mapped with key SenderMailFromDomain
. |
properties.SenderObjectId
|
principal.user.product_object_id
|
The raw log properties.SenderObjectId
field is mapped to principal.user.product_object_id
. |
properties.Timestamp
|
metadata.event_timestamp
|
The raw log properties.Timestamp
field is mapped to metadata.event_timestamp
. |
tenantId
|
observer.cloud.project.id
|
The raw log tenantId
field is mapped to observer.cloud.project.id
. |
|
N/A
|
extensions.auth.type
|
The value MACHINE
is assigned by the parser. |
|
N/A
|
metadata.event_type
|
Derived based on the category
and properties.ActionType
fields. Can be USER_LOGIN
, USER_RESOURCE_ACCESS
, USER_CHANGE_PASSWORD
, REGISTRY_MODIFICATION
, REGISTRY_DELETION
, REGISTRY_CREATION
, GENERIC_EVENT
, or STATUS_UPDATE
. |
|
N/A
|
metadata.vendor_name
|
The value Microsoft
is assigned by the parser. |
|
N/A
|
metadata.product_name
|
The value Microsoft Defender Identity
is assigned by the parser. |
cs1
|
metadata.url_back_to_product
|
The raw log cs1
field is mapped to metadata.url_back_to_product
. |
externalId
|
metadata.product_log_id
|
The raw log externalId
field is mapped to metadata.product_log_id
. |
msg
|
metadata.description
|
The raw log msg
field is mapped to metadata.description
. |
rule_name
|
security_result.rule_name
|
The raw log rule_name
field is mapped to security_result.rule_name
. |
severity
|
security_result.severity
|
The raw log severity
field is mapped to security_result.severity
. |
shost
|
principal.hostname
, principal.asset.hostname
|
The raw log shost
field is mapped to both principal.hostname
and principal.asset.hostname
. |
src
|
principal.ip
|
The raw log src
field is mapped to principal.ip
. |
suser
|
principal.user.user_display_name
|
The raw log suser
field is mapped to principal.user.user_display_name
. |
time
|
metadata.event_timestamp
|
The raw log time
field is mapped to metadata.event_timestamp
. |
userid
|
principal.user.userid
|
The raw log userid
field is mapped to principal.user.userid
. |
|
N/A
|
security_result.action
|
Derived based on the properties.ActionType
field. Can be ALLOW
or BLOCK
. |
|
N/A
|
security_result.summary
|
Derived from either the category
field or the properties.ActionType
field. |
Need more help? Get answers from Community members and Google SecOps professionals.
