Collect Microsoft Defender for Endpoint logs

Supported in:

Google secops SIEM

This document describes how you can collect Microsoft Defender for Endpoint logs by setting up a Google Security Operations feed and how log fields map to Google SecOps unified data model (UDM) fields.

For more information, see Data ingestion to Google SecOps .

A typical deployment consists of Microsoft Defender for Endpoint and the Google SecOps feed configured to send logs to Google SecOps. Your deployment might be different from the typical deployment that is described in this document. The deployment contains the following components:

Microsoft Defender for Endpoint: The platform that collects logs.
Azure Storage: The platform that stores logs.
Google SecOps feed: The Google SecOps feed that fetches logs from Microsoft Defender for Endpoint and writes logs to Google SecOps.
Google SecOps: The platform that retains and analyzes the logs from Microsoft Defender for Endpoint.

An ingestion label identifies the parser that normalizes raw log data to structured UDM format. The information in this document applies to the parser with the MICROSOFT_DEFENDER_ENDPOINT ingestion label.

Before you begin

Ensure you have the following prerequisites:

All systems in the deployment architecture are configured with the UTC time zone.
You meet the prerequisites for using Microsoft Defender for Endpoint. For more information, see Microsoft Defender XDR prerequisites .
Configured Microsoft Defender for Endpoint
A configured storage account in your tenant. To configure the storage account, see Configure Azure Storage account . For a general overview of storage accounts, see Microsoft Azure storage account overview .

Configure Azure Storage account

This section describes how to configure and deploy an Azure Storage account in Microsoft Azure.

Create storage account

Before you begin, ensure that your resource group has been successfully deployed in your Azure environment.

In the Azure portal, search for Storage accounts.
Click Create.

Provide the following configuration details under the Basicstab:

Setting	Value
Subscription	Select your Azure subscription.
Resource group	Select the deployed resource group.
Storage account name	Enter a globally unique name between 3 and 24 characters, using lowercase letters and numbers only.
Region	Select the region closest to your users or workloads.
Primary service	Select the primary service, such as Azure Blob Storage or Azure Data Lake Storage Gen2.
Performance	Select Standard(recommended for most scenarios) or Premium(for low-latency workloads).
Redundancy	Select the replication option based on your availability requirements (for example, Locally-redundant storage (LRS)).

Click Review + create.
After validation passes, click Createto deploy the Storage Account.

Set up Microsoft Defender for Endpoint

Sign in to security.microsoft.com as a global administrator or security administrator.
In the left pane, click Settings.
Select the Microsoft Defender XDRtab.
Select Streaming APIfrom the general section and click Add.
Select Forward events to Azure Storage.
Navigate to the storage account of your choice.
Select Overview > JSON Viewand enter the Resource ID.
After you enter the resource ID, select all the required data types.
Click Save.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds > Add New Feed
Content Hub > Content Packs > Get Started

How to set up the Microsoft Defender for Endpoint feed

Click the Microsoft Defenderpack.
Locate the Microsoft Defender for Endpointlog type.
Specify values in the following fields:
- Source Type: Microsoft Azure Blob Storage V2.
- Azure URI: The URI pointing to an Azure Blob Storage blob or container.
- Source deletion option: whether to delete files or directories after transferring.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
- Select Shared keyor SAS token.
- Key: The shared key or SAS token to access Azure resources.
Caution: To avoid HTTP 429 (Too Many Requests)errors and ingestion delays, don't reuse the same shared key or storage account across multiple feeds.

Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

Supported Microsoft Defender for Endpoint log types

The Microsoft Defender for Endpoint parser supports the following tables:

AlertEvidence
AlertInfo
CloudAppEvents
DeviceAlertEvents
DeviceEvents
DeviceFileCertificateInfo
DeviceFileEvents
IdentityLogonEvents
DeviceImageLoadEvents
DeviceInfo
DeviceLogonEvents
DeviceNetworkEvents
DeviceNetworkInfo
DeviceProcessEvents
DeviceRegistryEvents
DeviceTvmInfoGathering
DeviceTvmInfoGatheringKB
DeviceTvmSecureConfigurationAssessment
DeviceTvmSecureConfigurationAssessmentKB
DeviceTvmSoftwareEvidenceBeta
DeviceTvmSoftwareInventory
DeviceTvmSoftwareVulnerabilities
DeviceTvmSoftwareVulnerabilitiesKB
EmailAttachmentInfo
EmailEvents
EmailPostDeliveryEvents
EmailUrlInfo
IdentityInfo

Supported Microsoft Defender for Endpoint log formats

The Microsoft Defender for Endpoint parser supports logs in JSON format.

Supported Microsoft Defender for Endpoint sample logs

JSON:

 {
  "time": "2021-07-16T09:57:38.1599837Z",
  "tenantId": "ed236696-8612-40d7-8b49-xxxxxxxxxxx",
  "operationName": "Publish",
  "category": "AdvancedHunting-DeviceInfo",
  "properties": {
    "OSBuild": null,
    "RegistryDeviceTag": null,
    "IsAzureADJoined": null,
    "PublicIP": "198.51.100.0",
    "OSArchitecture": null,
    "OSVersion": null,
    "OSPlatform": null,
    "LoggedOnUsers": "[{\\"UserName\\":\\"bob\\",\\"DomainName\\":\\"DESKTOP-BOB\\",\\"Sid\\":\\"S-1-5-21-1695909852-106810125-1651530144-1001\\"}]",
    "AdditionalFields": "{\\"IsLocalLogon\\":true}",
    "DeviceObjectId": null,
    "DeviceId": "e93c25ad74cc1dd30afeb642696a2559824589e5",
    "MachineGroup": null,
    "Timestamp": "2021-07-16T09:54:41.0662159Z",
    "DeviceName": "desktop-dummy",
    "ReportId": 193010,
    "ClientVersion": "10.7431.19041.746"
  }
}

Field mapping reference

This section explains how the Google Security Operations parser maps Microsoft Defender for Endpoint fields to Google Security Operations UDM fields.

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Event Model

The following table lists the common log fields for the MICROSOFT_DEFENDER_ENDPOINT log type and their corresponding UDM fields:

Common log field	UDM mapping	Logic
`time`	`metadata.collected_timestamp`
`category`	`metadata.product_event_type`
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Microsoft Defender for Endpoint` .
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Microsoft` .
`Tenant`	`observer.resource_ancestors.name`
`tenantId`	`observer.resource_ancestors.product_object_id`
`operationName`	`additional.fields[operation_name]`
`properties.ActionType`	`security_result.summary`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - Common Fields for UDM Entity Model

The following table lists the common log fields for the MICROSOFT_DEFENDER_ENDPOINT log type and their corresponding UDM fields:

Common log field	UDM mapping	Logic
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Microsoft` .
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Microsoft Defender for Endpoint` .
`time`	`metadata.collected_timestamp`
`tenantId`	`relations.entity.resource.product_object_id`
`operationName`	`additional.fields[operation_name]`
`category`	`metadata.description`
`Tenant`	`relations.entity.resource.name`
	`relations.entity_type`	The `relations.entity_type` UDM field is set to `RESOURCE` .
	`relations.relationship`	The `relations.relationship` UDM field is set to `MEMBER` .
	`relations.direction`	The `relations.direction` UDM field is set to `UNIDIRECTIONAL` .

Field mapping reference: DeviceEvents Event Identifier to Event Type

The following table lists the DeviceEvents log action types and their corresponding UDM event types.

Event Identifier	Event Type
`AntivirusDefinitionsUpdated`	`SCAN_HOST`
`AntivirusDefinitionsUpdateFailed`	`SETTING_MODIFICATION`
`AntivirusDetection`	`SCAN_HOST`
`AntivirusDetectionActionType`	`SCAN_HOST`
`AntivirusEmergencyUpdatesInstalled`	`SETTING_MODIFICATION`
`AntivirusError`	`SCAN_HOST`
`AntivirusMalwareActionFailed`	`SCAN_HOST`
`AntivirusMalwareBlocked`	`SCAN_HOST`
`AntivirusReport`	`SCAN_HOST`
`AntivirusScanCancelled`	`SCAN_HOST`
`AntivirusScanCompleted`	`SCAN_HOST`
`AntivirusScanFailed`	`SCAN_HOST`
`AntivirusTroubleshootModeEvent`	`STATUS_UPDATE`
`AppControlAppInstallationAudited`	`SCAN_HOST`
`AppControlAppInstallationBlocked`	`SCAN_HOST`
`AppControlCIScriptAudited`	`SCAN_HOST`
`AppControlCIScriptBlocked`	`SCAN_HOST`
`AppControlCodeIntegrityDriverRevoked`	`SCAN_FILE`
`AppControlCodeIntegrityImageAudited`	`SCAN_FILE`
`AppControlCodeIntegrityImageRevoked`	`SCAN_FILE`
`AppControlCodeIntegrityOriginAllowed`	`SCAN_FILE`
`AppControlCodeIntegrityOriginAudited`	`SCAN_FILE`
`AppControlCodeIntegrityOriginBlocked`	`SCAN_FILE`
`AppControlCodeIntegrityPolicyAudited`	`SCAN_FILE`
`AppControlCodeIntegrityPolicyBlocked`	`SCAN_FILE`
`AppControlCodeIntegrityPolicyLoaded`	`SCAN_FILE`
`AppControlCodeIntegritySigningInformation`	`GENERIC_EVENT`
`AppControlExecutableAudited`	`SCAN_HOST`
`AppControlExecutableBlocked`	`SCAN_HOST`
`AppControlPackagedAppAudited`	`SCAN_HOST`
`AppControlPackagedAppBlocked`	`SCAN_HOST`
`AppControlPolicyApplied`	`SETTING_MODIFICATION`
`AppControlScriptAudited`	`SCAN_HOST`
`AppControlScriptBlocked`	`SCAN_HOST`
`AppGuardBrowseToUrl`	`NETWORK_UNCATEGORIZED`
`AppGuardCreateContainer`	`PROCESS_LAUNCH`
`AppGuardLaunchedWithUrl`	`PROCESS_LAUNCH`
`AppGuardResumeContainer`	`PROCESS_UNCATEGORIZED`
`AppGuardStopContainer`	`PROCESS_TERMINATION`
`AppGuardSuspendContainer`	`PROCESS_UNCATEGORIZED`
`AppLockerBlockExecutable`	`SCAN_HOST`
`AppLockerBlockPackagedApp`	`SCAN_HOST`
`AppLockerBlockPackagedAppInstallation`	`SCAN_HOST`
`AppLockerBlockScript`	`SCAN_HOST`
`AsrAbusedSystemToolAudited`	`SCAN_HOST`
`AsrAbusedSystemToolBlocked`	`SCAN_HOST`
`AsrAbusedSystemToolWarnBypassed`	`SCAN_HOST`
`AsrAdobeReaderChildProcessAudited`	`SCAN_HOST`
`AsrAdobeReaderChildProcessBlocked`	`SCAN_HOST`
`AsrAdobeReaderChildProcessWarnBypassed`	`SCAN_HOST`
`AsrExecutableEmailContentAudited`	`SCAN_HOST`
`AsrExecutableEmailContentBlocked`	`SCAN_HOST`
`AsrExecutableEmailContentWarnBypassed`	`SCAN_HOST`
`AsrExecutableOfficeContentAudited`	`SCAN_HOST`
`AsrExecutableOfficeContentBlocked`	`SCAN_HOST`
`AsrExecutableOfficeContentWarnBypassed`	`SCAN_HOST`
`AsrLsassCredentialTheftAudited`	`SCAN_HOST`
`AsrLsassCredentialTheftBlocked`	`SCAN_HOST`
`AsrLsassCredentialTheftWarnBypassed`	`SCAN_HOST`
`AsrObfuscatedScriptAudited`	`SCAN_HOST`
`AsrObfuscatedScriptBlocked`	`SCAN_HOST`
`AsrObfuscatedScriptWarnBypassed`	`SCAN_HOST`
`AsrOfficeChildProcessAudited`	`SCAN_HOST`
`AsrOfficeChildProcessBlocked`	`SCAN_HOST`
`AsrOfficeChildProcessWarnBypassed`	`SCAN_HOST`
`AsrOfficeCommAppChildProcessAudited`	`SCAN_HOST`
`AsrOfficeCommAppChildProcessBlocked`	`SCAN_HOST`
`AsrOfficeCommAppChildProcessWarnBypassed`	`SCAN_HOST`
`AsrOfficeMacroWin32ApiCallsAudited`	`SCAN_HOST`
`AsrOfficeMacroWin32ApiCallsBlocked`	`SCAN_HOST`
`AsrOfficeMacroWin32ApiCallsWarnBypassed`	`SCAN_HOST`
`AsrOfficeProcessInjectionAudited`	`SCAN_HOST`
`AsrOfficeProcessInjectionBlocked`	`SCAN_HOST`
`AsrOfficeProcessInjectionWarnBypassed`	`SCAN_HOST`
`AsrPersistenceThroughWmiAudited`	`SCAN_HOST`
`AsrPersistenceThroughWmiBlocked`	`SCAN_HOST`
`AsrPersistenceThroughWmiWarnBypassed`	`SCAN_HOST`
`AsrPsexecWmiChildProcessAudited`	`SCAN_HOST`
`AsrPsexecWmiChildProcessBlocked`	`SCAN_HOST`
`AsrPsexecWmiChildProcessWarnBypassed`	`SCAN_HOST`
`AsrRansomwareAudited`	`SCAN_HOST`
`AsrRansomwareBlocked`	`SCAN_HOST`
`AsrRansomwareWarnBypassed`	`SCAN_HOST`
`AsrSafeModeRebootAudited`	`SCAN_HOST`
`AsrSafeModeRebootBlocked`	`SCAN_HOST`
`AsrSafeModeRebootWarnBypassed`	`SCAN_HOST`
`AsrScriptExecutableDownloadAudited`	`SCAN_HOST`
`AsrScriptExecutableDownloadBlocked`	`SCAN_HOST`
`AsrScriptExecutableDownloadWarnBypassed`	`SCAN_HOST`
`AsrUntrustedExecutableAudited`	`SCAN_HOST`
`AsrUntrustedExecutableBlocked`	`SCAN_HOST`
`AsrUntrustedExecutableWarnBypassed`	`SCAN_HOST`
`AsrUntrustedUsbProcessAudited`	`SCAN_HOST`
`AsrUntrustedUsbProcessBlocked`	`SCAN_HOST`
`AsrUntrustedUsbProcessWarnBypassed`	`SCAN_HOST`
`AsrVulnerableSignedDriverAudited`	`SCAN_HOST`
`AsrVulnerableSignedDriverBlocked`	`SCAN_HOST`
`AsrVulnerableSignedDriverWarnBypassed`	`SCAN_HOST`
`AsrWebShellOnServerAudited`	`SCAN_HOST`
`AsrWebShellOnServerBlocked`	`SCAN_HOST`
`AsrWebShellWarnBypassed`	`SCAN_HOST`
`AuditPolicyModification`	`SETTING_MODIFICATION`
`BitLockerAuditCompleted`	`STATUS_UPDATE`
`BluetoothPolicyTriggered`	`SCAN_HOST`
`BrowserLaunchedToOpenUrl`	`NETWORK_UNCATEGORIZED`
`BruteForceActivityDetected`	`USER_LOGIN`
`ClrUnbackedModuleLoaded`	`PROCESS_MODULE_LOAD`
`ContainedDeviceConnectionBlocked`	`NETWORK_CONNECTION`
`ControlFlowGuardViolation`	`SCAN_HOST`
`ControlledFolderAccessViolationAudited`	`SCAN_FILE`
`ControlledFolderAccessViolationBlocked`	`SCAN_FILE`
`CreateRemoteThreadApiCall`	`PROCESS_UNCATEGORIZED`
`CredentialsBackup`	`SERVICE_START`
`DeviceBootAttestationInfo`	`GENERIC_EVENT`
`DirectoryServiceObjectCreated`	`RESOURCE_CREATION`
`DirectoryServiceObjectModified`	`RESOURCE_WRITTEN`
`DlpPocPrintJob`	`FILE_UNCATEGORIZED`
`DnsQueryRequest`	`NETWORK_DNS`
`DnsQueryResponse`	`NETWORK_DNS`
`DpapiAccessed`	`PROCESS_UNCATEGORIZED`
`DriverLoad`	`PROCESS_MODULE_LOAD`
`ExploitGuardAcgAudited`	`SCAN_HOST`
`ExploitGuardAcgEnforced`	`SCAN_HOST`
`ExploitGuardChildProcessAudited`	`SCAN_HOST`
`ExploitGuardChildProcessBlocked`	`SCAN_HOST`
`ExploitGuardEafViolationAudited`	`SCAN_HOST`
`ExploitGuardEafViolationBlocked`	`SCAN_HOST`
`ExploitGuardIafViolationAudited`	`SCAN_HOST`
`ExploitGuardIafViolationBlocked`	`SCAN_HOST`
`ExploitGuardLowIntegrityImageAudited`	`SCAN_HOST`
`ExploitGuardLowIntegrityImageBlocked`	`SCAN_HOST`
`ExploitGuardNetworkProtectionAudited`	`SCAN_HOST`
`ExploitGuardNetworkProtectionBlocked`	`SCAN_HOST`
`ExploitGuardNonMicrosoftSignedAudited`	`SCAN_HOST`
`ExploitGuardNonMicrosoftSignedBlocked`	`SCAN_HOST`
`ExploitGuardRopExploitAudited`	`SCAN_HOST`
`ExploitGuardRopExploitBlocked`	`SCAN_HOST`
`ExploitGuardSharedBinaryAudited`	`SCAN_HOST`
`ExploitGuardSharedBinaryBlocked`	`SCAN_HOST`
`ExploitGuardWin32SystemCallAudited`	`SCAN_HOST`
`ExploitGuardWin32SystemCallBlocked`	`SCAN_HOST`
`FileTimestampModificationEvent`	`FILE_MODIFICATION`
`FirewallInboundConnectionBlocked`	`NETWORK_CONNECTION`
`FirewallInboundConnectionToAppBlocked`	`NETWORK_CONNECTION`
`FirewallOutboundConnectionBlocked`	`NETWORK_CONNECTION`
`FirewallServiceStopped`	`SERVICE_STOP`
`GetAsyncKeyStateApiCall`	`PROCESS_UNCATEGORIZED`
`GetClipboardData`	`PROCESS_UNCATEGORIZED`
`LdapSearch`	`RESOURCE_READ`
`LogonRightsSettingEnabled`	`USER_CHANGE_PERMISSIONS`
`MemoryRemoteProtect`	`PROCESS_UNCATEGORIZED`
`NamedPipeEvent`	`PROCESS_UNCATEGORIZED`
`NetworkProtectionUserBypassEvent`	`NETWORK_UNCATEGORIZED`
`NetworkShareObjectAccessChecked`	`RESOURCE_READ`
`NetworkShareObjectAdded`	`RESOURCE_CREATION`
`NetworkShareObjectDeleted`	`RESOURCE_DELETION`
`NetworkShareObjectModified`	`RESOURCE_WRITTEN`
`NtAllocateVirtualMemoryApiCall`	`PROCESS_UNCATEGORIZED`
`NtAllocateVirtualMemoryRemoteApiCall`	`PROCESS_UNCATEGORIZED`
`NtMapViewOfSectionRemoteApiCall`	`PROCESS_UNCATEGORIZED`
`NtProtectVirtualMemoryApiCall`	`PROCESS_UNCATEGORIZED`
`OpenProcessApiCall`	`PROCESS_OPEN`
`OtherAlertRelatedActivity`	`STATUS_UPDATE`
`PasswordChangeAttempt`	`USER_CHANGE_PASSWORD`
`PlistPropertyModified`	`FILE_MODIFICATION`
`PnpDeviceAllowed`	`SCAN_HOST`
`PnpDeviceBlocked`	`SCAN_HOST`
`PnpDeviceConnected`	`DEVICE_CONFIG_UPDATE`
`PowerShellCommand`	`PROCESS_LAUNCH`
`PrintJobBlocked`	`SCAN_UNCATEGORIZED`
`ProcessCreatedUsingWmiQuery`	`PROCESS_LAUNCH`
`ProcessPrimaryTokenModified`	`PROCESS_UNCATEGORIZED`
`PTraceDetected`	`PROCESS_UNCATEGORIZED`
`QueueUserApcRemoteApiCall`	`PROCESS_UNCATEGORIZED`
`ReadProcessMemoryApiCall`	`PROCESS_UNCATEGORIZED`
`RemoteDesktopConnection`	`NETWORK_CONNECTION`
`RemoteWmiOperation`	`PROCESS_UNCATEGORIZED`
`RemovableStorageFileEvent`	`FILE_UNCATEGORIZED`
`RemovableStoragePolicyTriggered`	`PROCESS_UNCATEGORIZED`
`SafeDocFileScan`	`SCAN_FILE`
`ScheduledTaskCreated`	`SCHEDULED_TASK_CREATION`
`ScheduledTaskDeleted`	`SCHEDULED_TASK_DELETION`
`ScheduledTaskDisabled`	`SCHEDULED_TASK_DISABLE`
`ScheduledTaskEnabled`	`SCHEDULED_TASK_ENABLE`
`ScheduledTaskUpdated`	`SCHEDULED_TASK_MODIFICATION`
`ScreenshotTaken`	`GENERIC_EVENT`
`ScriptContent`	`PROCESS_LAUNCH`
`SecurityGroupCreated`	`GROUP_CREATION`
`SecurityGroupDeleted`	`GROUP_DELETION`
`SecurityLogCleared`	`SYSTEM_AUDIT_LOG_WIPE`
`SensitiveFileRead`	`FILE_READ`
`ServiceInstalled`	`SERVICE_CREATION`
`SetThreadContextRemoteApiCall`	`PROCESS_UNCATEGORIZED`
`ShellLinkCreateFileEvent`	`FILE_CREATION`
`SmartScreenAppWarning`	`SCAN_HOST`
`SmartScreenExploitWarning`	`SCAN_HOST`
`SmartScreenUrlWarning`	`SCAN_HOST`
`SmartScreenUserOverride`	`SETTING_MODIFICATION`
`TamperingAttempt`	`SETTING_MODIFICATION`
`TvmAxonTelemetryEvent`	`STATUS_UPDATE`
`UntrustedWifiConnection`	`NETWORK_CONNECTION`
`UsbDriveDriveLetterChanged`	`DEVICE_CONFIG_UPDATE`
`UsbDriveMounted`	`DEVICE_CONFIG_UPDATE`
`UsbDriveUnmounted`	`DEVICE_CONFIG_UPDATE`
`UserAccountAddedToLocalGroup`	`GROUP_MODIFICATION`
`UserAccountCreated`	`USER_CREATION`
`UserAccountDeleted`	`USER_DELETION`
`UserAccountModified`	`USER_UNCATEGORIZED`
`UserAccountRemovedFromLocalGroup`	`GROUP_MODIFICATION`
`WmiBindEventFilterToConsumer`	`PROCESS_UNCATEGORIZED`
`WriteProcessMemoryApiCall`	`PROCESS_UNCATEGORIZED`
`WriteToLsassProcessMemory`	`PROCESS_UNCATEGORIZED`
`AccountCheckedForBlankPassword`	`SCAN_UNCATEGORIZED`
`AmsiScriptDetection`	`PROCESS_UNCATEGORIZED`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceEvents

The following table lists the log fields for the DeviceEvents log type and their corresponding UDM fields:

Log field

UDM mapping

Logic

properties.Timestamp

metadata.event_timestamp

properties.ActionType

metadata.event_type

properties.ReportId

metadata.product_log_id

properties.LogonId

network.session_id

properties.InitiatingProcessSessionId

additional.fields[initiating_process_session_id]

properties.IsInitiatingProcessRemoteSession

additional.fields[is_initiating_process_remote_session]

properties.InitiatingProcessRemoteSessionIP

src.ip

properties.InitiatingProcessRemoteSessionIP

src.asset.ip

properties.ProcessRemoteSessionIP

src.ip

properties.ProcessRemoteSessionIP

src.asset.ip

properties.CreatedProcessSessionId

additional.fields[created_process_session_id]

properties.IsProcessRemoteSession

additional.fields[is_process_remote_session]

extensions.auth.mechanism

The extensions.auth.mechanism UDM field is set to MECHANISM_UNSPECIFIED .

properties.InitiatingProcessRemoteSessionDeviceName

src.hostname

If properties.InitiatingProcessRemoteSessionDeviceName log field is not empty, then properties.InitiatingProcessRemoteSessionDeviceName log field is mapped to src.hostname UDM field.

properties.InitiatingProcessRemoteSessionDeviceName

src.asset.hostname

If properties.InitiatingProcessRemoteSessionDeviceName log field is not empty, then properties.InitiatingProcessRemoteSessionDeviceName log field is mapped to src.asset.hostname UDM field.

properties.ProcessRemoteSessionDeviceName

src.hostname

If properties.InitiatingProcessRemoteSessionDeviceName log field is empty, then properties.ProcessRemoteSessionDeviceName log field is mapped to src.hostname UDM field.

properties.ProcessRemoteSessionDeviceName

src.asset.hostname

If properties.InitiatingProcessRemoteSessionDeviceName log field is empty, then properties.ProcessRemoteSessionDeviceName log field is mapped to src.asset.hostname UDM field.

properties.ActionType

network.application_protocol

If the properties.ActionType log field contains one of the following values, then the network.application_protocol UDM field is set to DNS :

DnsQueryRequest
DnsQueryResponse

target.resource.resource_type

If the properties.ActionType log field contains one of the following values:

AntivirusDefinitionsUpdateFailed
AntivirusEmergencyUpdatesInstalled
AppControlPolicyApplied
AuditPolicyModification
FirewallServiceStopped
SmartScreenUserOverride
TamperingAttempt

then the target.resource.resource_type UDM field is set to SETTING .
Else, if the properties.ActionType log field contains one of the following values:

ScheduledTaskCreated
ScheduledTaskDeleted
ScheduledTaskDisabled
ScheduledTaskEnabled
ScheduledTaskUpdated

then the target.resource.resource_type UDM field is set to TASK .
Else, if the properties.ActionType log field contains one of the following values:

DirectoryServiceObjectCreated
DirectoryServiceObjectModified
NetworkShareObjectAccessChecked
NetworkShareObjectAdded
NetworkShareObjectDeleted
NetworkShareObjectModified

then the target.resource.resource_type UDM field is set to STORAGE_OBJECT .
Else, if the properties.ActionType log field contains one of the following values:

ExploitGuardNetworkProtectionAudited
ExploitGuardNetworkProtectionBlocked
AsrOfficeProcessInjectionAudited
AsrExecutableEmailContentAudited
AsrExecutableOfficeContentAudited
AsrOfficeChildProcessAudited
AsrOfficeCommAppChildProcessAudited
AsrPsexecWmiChildProcessAudited
AsrScriptExecutableDownloadAudited
AsrUntrustedExecutableAudited
AsrUntrustedUsbProcessAudited
AsrWebShellOnServerAudited
ExploitGuardChildProcessAudited
ExploitGuardLowIntegrityImageAudited
ExploitGuardNonMicrosoftSignedAudited
ExploitGuardSharedBinaryAudited
AppControlCIScriptBlocked
AppControlExecutableBlocked
AppControlPackagedAppBlocked
AppControlScriptBlocked
AppLockerBlockExecutable
AppLockerBlockPackagedApp
AppLockerBlockPackagedAppInstallation
AppLockerBlockScript
AsrAbusedSystemToolBlocked
AsrAdobeReaderChildProcessBlocked
AsrExecutableEmailContentBlocked
AsrExecutableOfficeContentBlocked
AsrLsassCredentialTheftBlocked
AsrObfuscatedScriptBlocked
AsrOfficeChildProcessBlocked
AsrOfficeCommAppChildProcessBlocked
AsrOfficeMacroWin32ApiCallsBlocked
AsrOfficeProcessInjectionBlocked
AsrPersistenceThroughWmiBlocked
AsrPsexecWmiChildProcessBlocked
AsrRansomwareBlocked
AsrSafeModeRebootBlocked
AsrScriptExecutableDownloadBlocked
AsrUntrustedExecutableBlocked
AsrUntrustedUsbProcessBlocked
AsrVulnerableSignedDriverBlocked
AsrWebShellOnServerBlocked
ControlFlowGuardViolation
ExploitGuardAcgEnforced
ExploitGuardChildProcessBlocked
ExploitGuardEafViolationBlocked
ExploitGuardIafViolationBlocked
ExploitGuardLowIntegrityImageBlocked
ExploitGuardNonMicrosoftSignedBlocked
ExploitGuardRopExploitBlocked
ExploitGuardSharedBinaryBlocked
ExploitGuardWin32SystemCallBlocked
AppControlAppInstallationBlocked
AppControlAppInstallationAudited
AppControlCIScriptAudited
AppControlExecutableAudited
AppControlPackagedAppAudited
AppControlScriptAudited
AsrAbusedSystemToolAudited
AsrAdobeReaderChildProcessAudited
AsrLsassCredentialTheftAudited
AsrObfuscatedScriptAudited
AsrOfficeMacroWin32ApiCallsAudited
AsrPersistenceThroughWmiAudited
AsrRansomwareAudited
AsrSafeModeRebootAudited
AsrVulnerableSignedDriverAudited
ExploitGuardEafViolationAudited
ExploitGuardIafViolationAudited
ExploitGuardRopExploitAudited
ExploitGuardWin32SystemCallAudited
ExploitGuardAcgAudited
PnpDeviceAllowed
PnpDeviceBlocked
AntivirusDetection
AntivirusDetectionActionType
AntivirusMalwareActionFailed
AntivirusMalwareBlocked
AntivirusReport
AntivirusScanCancelled
AntivirusScanCompleted
AntivirusScanFailed
SmartScreenAppWarning
SmartScreenExploitWarning
SmartScreenUrlWarning
AntivirusError
AntivirusDefinitionsUpdated
AsrAbusedSystemToolWarnBypassed
AsrAdobeReaderChildProcessWarnBypassed
AsrExecutableEmailContentWarnBypassed
AsrExecutableOfficeContentWarnBypassed
AsrLsassCredentialTheftWarnBypassed
AsrObfuscatedScriptWarnBypassed
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeMacroWin32ApiCallsWarnBypassed
AsrOfficeProcessInjectionWarnBypassed
AsrPersistenceThroughWmiWarnBypassed
AsrPsexecWmiChildProcessWarnBypassed
AsrRansomwareWarnBypassed
AsrSafeModeRebootWarnBypassed
AsrScriptExecutableDownloadWarnBypassed
AsrUntrustedExecutableWarnBypassed
AsrUntrustedUsbProcessWarnBypassed
AsrVulnerableSignedDriverWarnBypassed
AsrWebShellWarnBypassed
BluetoothPolicyTriggered
PnpDeviceConnected

then the target.resource.resource_type UDM field is set to DEVICE .

properties.DeviceId

principal.asset_id

If the properties.ActionType log field contains one of the following values, then DeviceID:%{properties.DeviceId} is mapped to the target.asset_id and target.asset.asset_id UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, DeviceID:%{properties.DeviceId} is mapped to the principal.asset_id and principal.asset.asset_id UDM fields.

properties.DeviceId

principal.asset.asset_id

If the properties.ActionType log field contains one of the following values, then DeviceID:%{properties.DeviceId} is mapped to the target.asset_id and target.asset.asset_id UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, DeviceID:%{properties.DeviceId} is mapped to the principal.asset_id and principal.asset.asset_id UDM fields.

properties.DeviceId

target.asset_id

If the properties.ActionType log field contains one of the following values, then DeviceID:%{properties.DeviceId} is mapped to the target.asset_id and target.asset.asset_id UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, DeviceID:%{properties.DeviceId} is mapped to the principal.asset_id and principal.asset.asset_id UDM fields.

properties.DeviceId

target.asset.asset_id

If the properties.ActionType log field contains one of the following values, then DeviceID:%{properties.DeviceId} is mapped to the target.asset_id and target.asset.asset_id UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, DeviceID:%{properties.DeviceId} is mapped to the principal.asset_id and principal.asset.asset_id UDM fields.

properties.InitiatingProcessAccountDomain

principal.administrative_domain

If the properties.ActionType log field contains one of the following values and the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the target.administrative_domain UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, if the properties.InitiatingProcessAccountDomain log field value is not empty, then the properties.InitiatingProcessAccountDomain log field is mapped to the principal.administrative_domain UDM field.

properties.InitiatingProcessAccountDomain

target.administrative_domain

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

properties.AccountDomain

principal.administrative_domain

If the properties.ActionType log field contains one of the following values:

BruteForceActivityDetected
LogonRightsSettingEnabled
PasswordChangeAttempt
UserAccountCreated
UserAccountDeleted
UserAccountModified

then if the properties.AccountDomain log field is not empty, then it is mapped to the target.administrative_domain UDM field.

Else, if the properties.InitiatingProcessAccountDomain log field is not empty and the properties.AccountDomain log field is not empty, then the properties.AccountDomain log field is mapped to additional.fields[AccountDomain] .

Else if the properties.InitiatingProcessAccountDomain log field is empty and the properties.AccountDomain log field is not empty, then the properties.AccountDomain log field is mapped to the principal.administrative_domain UDM field.

properties.AccountDomain

target.administrative_domain

If the properties.ActionType log field contains one of the following values:

BruteForceActivityDetected
LogonRightsSettingEnabled
PasswordChangeAttempt
UserAccountCreated
UserAccountDeleted
UserAccountModified

properties.DeviceName

principal.hostname

If the properties.ActionType log field contains one of the following values, then the properties.DeviceName log field is mapped to the target.hostname and target.asset.hostname UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.DeviceName log field is mapped to the principal.hostname and principal.asset.hostname UDM fields.

properties.DeviceName

principal.asset.hostname

If the properties.ActionType log field contains one of the following values, then the properties.DeviceName log field is mapped to the target.hostname and target.asset.hostname UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.DeviceName log field is mapped to the principal.hostname and principal.asset.hostname UDM fields.

properties.DeviceName

target.hostname

If the properties.ActionType log field contains one of the following values, then the properties.DeviceName log field is mapped to the target.hostname and target.asset.hostname UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.DeviceName log field is mapped to the principal.hostname and principal.asset.hostname UDM fields.

properties.DeviceName

target.asset.hostname

If the properties.ActionType log field contains one of the following values, then the properties.DeviceName log field is mapped to the target.hostname and target.asset.hostname UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.DeviceName log field is mapped to the principal.hostname and principal.asset.hostname UDM fields.

properties.LocalIP

principal.ip

If the properties.ActionType log field contains one of the following values, then the properties.LocalIP log field is mapped to the target.ip and target.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.LocalIP log field is mapped to the principal.ip and principal.asset.ip UDM fields.

properties.LocalIP

principal.asset.ip

If the properties.ActionType log field contains one of the following values, then the properties.LocalIP log field is mapped to the target.ip and target.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.LocalIP log field is mapped to the principal.ip and principal.asset.ip UDM fields.

properties.LocalIP

target.ip

If the properties.ActionType log field contains one of the following values, then the properties.LocalIP log field is mapped to the target.ip and target.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.LocalIP log field is mapped to the principal.ip and principal.asset.ip UDM fields.

properties.LocalIP

target.asset.ip

If the properties.ActionType log field contains one of the following values, then the properties.LocalIP log field is mapped to the target.ip and target.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.LocalIP log field is mapped to the principal.ip and principal.asset.ip UDM fields.

properties.FileOriginIP

principal.ip

properties.FileOriginIP

principal.asset.ip

properties.LocalPort

principal.port

If the properties.ActionType log field contains one of the following values, then the properties.LocalPort log field is mapped to the target.port UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.LocalPort log field is mapped to the principal.port UDM field.

properties.LocalPort

target.port

If the properties.ActionType log field contains one of the following values, then the properties.LocalPort log field is mapped to the target.port UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.LocalPort log field is mapped to the principal.port UDM field.

properties.InitiatingProcessCommandLine

principal.process.command_line

properties.InitiatingProcessFolderPath

principal.process.file.full_path

If the properties.InitiatingProcessFolderPath log field value matches the regular expression pattern the properties.InitiatingProcessFileName log field value, then the properties.InitiatingProcessFolderPath log field is mapped to the principal.process.file.full_path UDM field.

Else, the principal.process.file.full_path is set to %{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName} .

properties.InitiatingProcessMD5

principal.process.file.md5

If the properties.InitiatingProcessMD5 log field value matches the regular expression pattern ^[0-9a-f]+$ , then the properties.InitiatingProcessMD5 log field is mapped to the principal.process.file.md5 UDM field.

properties.InitiatingProcessFileName

principal.process.file.names

properties.InitiatingProcessSHA1

principal.process.file.sha1

If the properties.InitiatingProcessSHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ , then the properties.InitiatingProcessSHA1 log field is mapped to the principal.process.file.sha1 UDM field.

properties.InitiatingProcessSHA256

principal.process.file.sha256

If the properties.InitiatingProcessSHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ , then the properties.InitiatingProcessSHA256 log field is mapped to the principal.process.file.sha256 UDM field.

properties.InitiatingProcessFileSize

principal.process.file.size

properties.InitiatingProcessParentFileName

principal.process.parent_process.file.names

properties.InitiatingProcessParentId

principal.process.parent_process.pid

properties.InitiatingProcessId

principal.process.pid

properties.FileOriginUrl

principal.url

properties.InitiatingProcessAccountObjectId

principal.user.product_object_id

properties.InitiatingProcessAccountUpn

principal.user.user_display_name

properties.InitiatingProcessAccountName

principal.user.userid

properties.AccountName

principal.user.userid

If the properties.ActionType log field contains one of the following values:

BruteForceActivityDetected
LogonRightsSettingEnabled
PasswordChangeAttempt
UserAccountCreated
UserAccountDeleted
UserAccountModified

then if the properties.AccountName log field is not empty, then it is mapped to the target.user.userid UDM field.

Else, if the properties.InitiatingProcessAccountName log field is not empty and the properties.AccountName log field is not empty, then the properties.AccountName log field is mapped to additional.fields[AccountName] .

Else if the properties.InitiatingProcessAccountName log field is empty and the properties.AccountName log field is not empty, then the properties.AccountName log field is mapped to the principal.user.userid UDM field.

properties.AccountName

target.user.userid

If the properties.ActionType log field contains one of the following values:

BruteForceActivityDetected
LogonRightsSettingEnabled
PasswordChangeAttempt
UserAccountCreated
UserAccountDeleted
UserAccountModified

properties.InitiatingProcessAccountSid

principal.user.windows_sid

properties.AccountSid

principal.user.windows_sid

If the properties.ActionType log field contains one of the following values:

BruteForceActivityDetected
LogonRightsSettingEnabled
PasswordChangeAttempt
UserAccountCreated
UserAccountDeleted
UserAccountModified

then if the properties.AccountSid log field is not empty, then it is mapped to the target.user.windows_sid UDM field.

Else, if the properties.InitiatingProcessAccountSid log field is not empty and the properties.AccountSid log field is not empty, then the properties.AccountSid log field is mapped to additional.fields[AccountSid] .

Else if the properties.InitiatingProcessAccountSid log field is empty and the properties.AccountSid log field is not empty, then the properties.AccountSid log field is mapped to the principal.user.windows_sid UDM field.

properties.AccountSid

target.user.windows_sid

If the properties.ActionType log field contains one of the following values:

BruteForceActivityDetected
LogonRightsSettingEnabled
PasswordChangeAttempt
UserAccountCreated
UserAccountDeleted
UserAccountModified

properties.ActionType

security_result.action

If the properties.ActionType log field value matches the regular expression pattern (?i)Allow , then the security_result.action UDM field is set to ALLOW .

Else if the properties.ActionType log field value matches the regular expression pattern (?i)Block , then the security_result.action UDM field is set to BLOCK .

Else if the properties.ActionType log field value matches the regular expression pattern (?i)Fail , then the security_result.action UDM field is set to FAIL .

properties.FolderPath

target.file.full_path

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

then if the properties.FolderPath log field value matches the regular expression pattern

the properties.FileName 
log field value

, then properties.FolderPath log field is mapped to the target.process.file.full_path UDM field, else %{properties.FolderPath}\%{properties.FileName} is mapped to the target.process.file.full_path UDM field.
Else, if the properties.FolderPath log field value matches the regular expression pattern

the properties.FileName 
log field value

, then properties.FolderPath log field is mapped to the target.file.full_path UDM field, else %{properties.FolderPath}\%{properties.FileName} is mapped to the target.file.full_path UDM field.

properties.FolderPath

target.process.file.full_path

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

then if the properties.FolderPath log field value matches the regular expression pattern

the properties.FileName 
log field value

the properties.FileName 
log field value

, then properties.FolderPath log field is mapped to the target.file.full_path UDM field, else %{properties.FolderPath}\%{properties.FileName} is mapped to the target.file.full_path UDM field.

properties.MD5

target.file.md5

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

and if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ , then the properties.MD5 log field is mapped to the target.process.file.md5 UDM field.
Else, if the properties.MD5 log field value matches the regular expression pattern ^[0-9a-f]+$ , then the properties.MD5 log field is mapped to the target.file.md5 UDM field.

properties.MD5

target.process.file.md5

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

properties.FileName

target.file.names

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

then properties.FileName log field is mapped to the target.process.file.names UDM field.
Else, properties.FileName log field is mapped to the target.file.names UDM field.

properties.FileName

target.process.file.names

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

then properties.FileName log field is mapped to the target.process.file.names UDM field.
Else, properties.FileName log field is mapped to the target.file.names UDM field.

properties.SHA1

target.file.sha1

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

and if the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ , then properties.SHA1 log field is mapped to the target.process.file.sha1 UDM field.
Else, if the properties.SHA1 log field value matches the regular expression pattern ^[0-9a-f]+$ , then properties.SHA1 log field is mapped to the target.file.sha1 UDM field.

properties.SHA1

target.process.file.sha1

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

properties.SHA256

target.file.sha256

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

and if the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ , then properties.SHA256 log field is mapped to the target.process.file.sha256 UDM field.
Else, if the properties.SHA256 log field value matches the regular expression pattern ^[a-f0-9]{64}$ , then properties.SHA256 log field is mapped to the target.file.sha256 UDM field.

properties.SHA256

target.process.file.sha256

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

properties.FileSize

target.file.size

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

then properties.FileSize log field is mapped to the target.process.file.size UDM field.
Else, properties.FileSize log field is mapped to the target.file.size UDM field.

properties.FileSize

target.process.file.size

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

then properties.FileSize log field is mapped to the target.process.file.size UDM field.
Else, properties.FileSize log field is mapped to the target.file.size UDM field.

properties.RemoteDeviceName

principal.hostname

If the properties.ActionType log field contains one of the following values, then the properties.RemoteDeviceName log field is mapped to the principal.hostname and principal.asset.hostname UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteDeviceName log field is mapped to the target.hostname and target.asset.hostname UDM fields.

properties.RemoteDeviceName

principal.asset.hostname

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteDeviceName log field is mapped to the target.hostname and target.asset.hostname UDM fields.

properties.RemoteDeviceName

target.hostname

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteDeviceName log field is mapped to the target.hostname and target.asset.hostname UDM fields.

properties.RemoteDeviceName

target.asset.hostname

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteDeviceName log field is mapped to the target.hostname and target.asset.hostname UDM fields.

properties.RemoteIP

principal.ip

If the properties.ActionType log field contains one of the following values, then the properties.RemoteIP log field is mapped to the principal.ip and principal.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteIP log field is mapped to the target.ip and target.asset.ip UDM fields.

properties.RemoteIP

principal.asset.ip

If the properties.ActionType log field contains one of the following values, then the properties.RemoteIP log field is mapped to the principal.ip and principal.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteIP log field is mapped to the target.ip and target.asset.ip UDM fields.

properties.RemoteIP

target.ip

If the properties.ActionType log field contains one of the following values, then the properties.RemoteIP log field is mapped to the principal.ip and principal.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteIP log field is mapped to the target.ip and target.asset.ip UDM fields.

properties.RemoteIP

target.asset.ip

If the properties.ActionType log field contains one of the following values, then the properties.RemoteIP log field is mapped to the principal.ip and principal.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteIP log field is mapped to the target.ip and target.asset.ip UDM fields.

properties.RemotePort

principal.port

If the properties.ActionType log field contains one of the following values, then the properties.RemotePort log field is mapped to the principal.port UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemotePort log field is mapped to the target.port UDM field.

properties.RemotePort

target.port

If the properties.ActionType log field contains one of the following values, then the properties.RemotePort log field is mapped to the principal.port UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemotePort log field is mapped to the target.port UDM field.

properties.ProcessCommandLine

target.process.command_line

properties.ProcessId

target.process.pid

properties.ProcessTokenElevation

target.process.token_elevation_type

If the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeFull , then the target.process.token_elevation_type UDM field is set to TYPE_1 .

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeDefault , then the target.process.token_elevation_type UDM field is set to TYPE_2 .

Else, if the properties.ProcessTokenElevation log field value is equal to TokenElevationTypeLimited , then the target.process.token_elevation_type UDM field is set to TYPE_3 .

properties.RegistryKey

target.registry.registry_key

properties.RegistryValueData

target.registry.registry_value_data

properties.RegistryValueName

target.registry.registry_value_name

properties.RemoteUrl

principal.url

If the properties.ActionType log field contains one of the following values, then the properties.RemoteUrl log field is mapped to the principal.url UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteUrl log field is mapped to the target.url UDM field.

properties.RemoteUrl

target.url

If the properties.ActionType log field contains one of the following values, then the properties.RemoteUrl log field is mapped to the principal.url UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteUrl log field is mapped to the target.url UDM field.

properties.AdditionalFields

additional.fields[additional_fields]

properties.AppGuardContainerId

additional.fields[app_guard_container_id]

properties.InitiatingProcessCreationTime

additional.fields[initiating_process_creation_time]

properties.InitiatingProcessLogonId

additional.fields[initiating_process_logon_id]

properties.InitiatingProcessParentCreationTime

additional.fields[initiating_process_parent_creation_time]

properties.ProcessCreationTime

additional.fields[process_creation_time]

properties.InitiatingProcessVersionInfoCompanyName

principal.process.file.exif_info.company

properties.InitiatingProcessVersionInfoFileDescription

principal.process.file.exif_info.file_description

properties.InitiatingProcessVersionInfoInternalFileName

additional.fields[process_version_info_internal_file_name]

properties.InitiatingProcessVersionInfoOriginalFileName

principal.process.file.exif_info.original_file

properties.InitiatingProcessVersionInfoProductName

principal.process.file.exif_info.product

properties.InitiatingProcessVersionInfoProductVersion

additional.fields[process_version_info_product_version]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - AlertEvidence

The following table lists the log fields for the AlertEvidence log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.Application`	`principal.application`
`properties.ResourceType`	`principal.resource.attribute.labels[resource_type]`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_HOST` .
`properties.DeviceId` `properties.AdditionalFields.MachineId` `properties.AdditionalFields.Host.MachineId` `properties.AdditionalFields.ImageFile.Host.MachineId` `properties.AdditionalFields.ImageFile.Host.HostMachineId` `properties.AdditionalFields.Host.HostMachineId` `properties.AdditionalFields.Key.Device.MachineId` `properties.AdditionalFields.Key.Device.HostMachineId`	`principal.asset_id`	If the `properties.DeviceId` log field value is not empty then, `DeviceID:properties.DeviceId` is mapped to the `principal.asset_id` UDM field. Else, if the `properties.AdditionalFields.MachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.MachineId` is mapped to the `principal.asset_id` UDM field. Else, if the `properties.AdditionalFields.Host.MachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.Host.MachineId` is mapped to the `principal.asset_id` UDM field. Else, if the `properties.AdditionalFields.ImageFile.Host.MachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.ImageFile.Host.MachineId` is mapped to the `principal.asset_id` UDM field. Else, if the `properties.AdditionalFields.ImageFile.Host.HostMachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.ImageFile.Host.HostMachineId` is mapped to the `principal.asset_id` UDM field. Else, if the `properties.AdditionalFields.Host.HostMachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.Host.HostMachineId` is mapped to the `principal.asset_id` UDM field. Else, if the `properties.AdditionalFields.Key.Device.MachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.Key.Device.MachineId` is mapped to the `principal.asset_id` UDM field. Else, if the `properties.AdditionalFields.Key.Device.HostMachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.Key.Device.HostMachineId` is mapped to the `principal.asset_id` UDM field.
`properties.DeviceId` `properties.AdditionalFields.MachineId` `properties.AdditionalFields.Host.MachineId` `properties.AdditionalFields.ImageFile.Host.MachineId` `properties.AdditionalFields.ImageFile.Host.HostMachineId` `properties.AdditionalFields.Host.HostMachineId` `properties.AdditionalFields.Key.Device.MachineId` `properties.AdditionalFields.Key.Device.HostMachineId`	`principal.asset.asset_id`	If the `properties.DeviceId` log field value is not empty then, `DeviceID:properties.DeviceId` is mapped to the `principal.asset.asset_id` UDM field. Else, if the `properties.AdditionalFields.MachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.MachineId` is mapped to the `principal.asset.asset_id` UDM field. Else, if the `properties.AdditionalFields.Host.MachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.Host.MachineId` is mapped to the `principal.asset.asset_id` UDM field. Else, if the `properties.AdditionalFields.ImageFile.Host.MachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.ImageFile.Host.MachineId` is mapped to the `principal.asset.asset_id` UDM field. Else, if the `properties.AdditionalFields.ImageFile.Host.HostMachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.ImageFile.Host.HostMachineId` is mapped to the `principal.asset.asset_id` UDM field. Else, if the `properties.AdditionalFields.Host.HostMachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.Host.HostMachineId` is mapped to the `principal.asset.asset_id` UDM field. Else, if the `properties.AdditionalFields.Key.Device.MachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.Key.Device.MachineId` is mapped to the `principal.asset.asset_id` UDM field. Else, if the `properties.AdditionalFields.Key.Device.HostMachineId` log field value is not empty then, `DeviceID:properties.AdditionalFields.Key.Device.HostMachineId` is mapped to the `principal.asset.asset_id` UDM field.
`properties.DeviceName` `properties.AdditionalFields.HostName` `properties.AdditionalFields.Host.HostName` `properties.AdditionalFields.ImageFile.Host.HostName` `properties.AdditionalFields.Key.Device.HostName`	`principal.hostname`	If the `properties.DeviceName` log field value is not empty then, `properties.DeviceName` log field is mapped to the `principal.hostname` UDM field. Else, if the `properties.AdditionalFields.HostName` log field value is not empty then, `properties.AdditionalFields.HostName` log field is mapped to the `principal.hostname` UDM field. Else, if the `properties.AdditionalFields.ImageFile.Host.HostName` log field value is not empty then, `properties.AdditionalFields.ImageFile.Host.HostName` log field is mapped to the `principal.hostname` UDM field. Else, if the `properties.AdditionalFields.Host.HostName` log field value is not empty then, `properties.AdditionalFields.Host.HostName` log field is mapped to the `principal.hostname` UDM field. Else, if the `properties.AdditionalFields.Key.Device.HostName` log field value is not empty then, `properties.AdditionalFields.Key.Device.HostName` log field is mapped to the `principal.hostname` UDM field.
`properties.DeviceName` `properties.AdditionalFields.HostName` `properties.AdditionalFields.Host.HostName` `properties.AdditionalFields.ImageFile.Host.HostName` `properties.AdditionalFields.Key.Device.HostName`	`principal.asset.hostname`	If the `properties.DeviceName` log field value is not empty then, `properties.DeviceName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `properties.AdditionalFields.HostName` log field value is not empty then, `properties.AdditionalFields.HostName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `properties.AdditionalFields.ImageFile.Host.HostName` log field value is not empty then, `properties.AdditionalFields.ImageFile.Host.HostName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `properties.AdditionalFields.Host.HostName` log field value is not empty then, `properties.AdditionalFields.Host.HostName` log field is mapped to the `principal.asset.hostname` UDM field. Else, if the `properties.AdditionalFields.Key.Device.HostName` log field value is not empty then, `properties.AdditionalFields.Key.Device.HostName` log field is mapped to the `principal.asset.hostname` UDM field.
`properties.LocalIP`	`principal.asset.ip`	If the `properties.LocalIP` log field value is not empty, then the `properties.LocalIP` log field is mapped to the `principal.asset.ip` UDM field.
`properties.FolderPath`	`target.file.full_path`	If the `properties.FileName` log field value matches the regular expression pattern the `properties.FolderPath` , then the `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, the `properties.FolderPath/properties.FileName` log field is mapped to the `target.file.full_path` UDM field.
`properties.FileName`	`target.file.names`
`properties.SHA1`	`target.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^the 0-9a-f log field value+$` , then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^the a-f0-9 , then 64$` , then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`
`properties.AccountDomain`	`principal.administrative_domain`
`properties.RemoteIP`	`target.ip`
`properties.AdditionalFields`	`additional.fields[additionalfields]`
`properties.ProcessCommandLine`	`target.process.command_line`
`properties.RegistryKey`	`target.registry.registry_key`
`properties.RegistryValueData`	`target.registry.registry_value_data`
`properties.RegistryValueName`	`target.registry.registry_value_name`
`properties.CloudPlatform`	`principal.resource.attribute.cloud.environment`	If the `properties.CloudPlatform` log field value matches the regular expression pattern `/(?i)Amazon Web Services/` , then the `principal.resource.attribute.cloud.environment` UDM field is set to `AMAZON_WEB_SERVICES` . Else, if the `properties.CloudPlatform` log field value matches the regular expression pattern `/(?i)Google Cloud Platform/` , then the `principal.resource.attribute.cloud.environment` UDM field is set to `GOOGLE_CLOUD_PLATFORM` . Else, if the `properties.CloudPlatform` log field value matches one of the regular expression patterns `/(?i)Azure/` or `/(?i)Azure Arc/` , then the `principal.resource.attribute.cloud.environment` UDM field is set to `MICROSOFT_AZURE` . Else, the `principal.resource.attribute.cloud.environment` UDM field is set to `UNSPECIFIED_CLOUD_ENVIRONMENT` .
`properties.SubscriptionId`	`principal.resource.attribute.labels[subscription_id]`
`properties.CloudResource`	`principal.resource.name`
`properties.ResourceID`	`principal.resource.product_object_id`
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `CLOUD_PROJECT` .
`properties.Categories`	`security_result.category_details`
`properties.Severity`	`security_result.severity`
`properties.Title`	`security_result.threat_name`
`properties.ThreatFamily`	`security_result.detection_fields[threat_family]`
`properties.RemoteUrl`	`target.url`
`properties.EvidenceDirection`	`additional.fields[evidence_direction]`
`properties.EvidenceRole`	`additional.fields[evidence_role]`
`properties.AccountObjectId`	`additional.fields[account_object_id]`
`properties.AccountUpn`	`principal.user.user_display_name`
`properties.AccountName`	`principal.user.userid`
`properties.AccountSid`	`principal.user.windows_sid`
`properties.Timestamp`	`metadata.event_timestamp`
`properties.EntityType`	`principal.resource.resource_subtype`
`properties.AlertId`	`metadata.product_log_id`
`properties.DetectionSource`	`security_result.about.resource.attribute.labels[detection_source]`
`properties.ServiceSource`	`security_result.about.resource.attribute.labels[service_source]`
`properties.AttackTechniques`	`security_result.attack_details.techniques.name`
`properties.ApplicationId`	`additional.fields[application_id]`
`properties.EmailSubject`	`network.email.subject`
`properties.NetworkMessageId`	`network.email.mail_id`
`properties.OAuthApplicationId`	`additional.fields[oauth_application_id]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - AlertInfo

The following table lists the log fields for the AlertInfo log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT` .
`properties.AlertId`	`security_result.threat_id`
`properties.AttackTechniques`	`security_result.attack_details.techniques.name`
`properties.DetectionSource`	`security_result.detection_fields[detection_source]`
`properties.ServiceSource`	`principal.application`
`properties.Severity`	`security_result.severity`	If the `properties.Severity` log field value matches the regular expression pattern `(?i)(informational)` , then the `security_result.severity` UDM field is set to `INFORMATIONAL` . Else, if the `properties.Severity` log field value matches the regular expression pattern `(?i)(low)` , then the `security_result.severity` UDM field is set to `LOW` . Else, if the `properties.Severity` log field value matches the regular expression pattern `(?i)(medium)` , then the `security_result.severity` UDM field is set to `MEDIUM` . Else, if the `properties.Severity` log field value matches the regular expression pattern `(?i)(high)` , then the `security_result.severity` UDM field is set to `HIGH` .
`properties.Category`	`security_result.category_details`
`properties.Title`	`security_result.threat_name`
`properties.Title`	`security_result.rule_name`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceAlertEvents

The following table lists the log fields for the DeviceAlertEvents log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_HOST` .
`properties.ReportId`	`security_result.detection_fields[report_id]`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.MachineGroup`	`principal.group.group_display_name`
`properties.DeviceName`	`principal.hostname`
`properties.AttackTechniques`	`security_result.attack_details.techniques.name`
`properties.Category`	`security_result.category_details`
`properties.AlertId`	`metadata.product_log_id`
`properties.MitreTechniques`	`security_result.detection_fields[mitre_techniques]`
`properties.Severity`	`security_result.severity`	If the `properties.Severity` log field value is equal to `High` , then the `security_result.severity` UDM field is set to `HIGH` . Else, if the `properties.Severity` log field value is equal to `Medium` , then the `security_result.severity` UDM field is set to `MEDIUM` . Else, if the `properties.Severity` log field value is equal to `Low` , then the `security_result.severity` UDM field is set to `LOW` . Else, if the `properties.Severity` log field value is equal to `Informational` , then the `security_result.severity` UDM field is set to `INFORMATIONAL` .
`properties.Title`	`security_result.threat_name`
`properties.Title`	`security_result.rule_name`
`properties.RemoteIp`	`target.ip`
`properties.FileName`	`target.file.names`
`properties.SHA1`	`target.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.RemoteUrl`	`target.url`
`properties.Table`	`additional.fields[table]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileCertificateInfo

The following table lists the log fields for the DeviceFileCertificateInfo log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.creation_timestamp`
	`metadata.event_type`	The `metadata.entity_type` UDM field is set to `FILE` .
`properties.ReportId`	`metadata.product_entity_id`
`properties.DeviceId`	`entity.asset_id`	The `entity.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.SHA1`	`entity.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.SHA1` log field is mapped to the `entity.file.sha1` UDM field.
`properties.Issuer`	`entity.file.signature_info.sigcheck.signers.cert_issuer`
`properties.Signer`	`entity.file.signature_info.sigcheck.signers.name`
`properties.IsSigned`	`entity.file.signature_info.sigcheck.verified`	If the `properties.IsSigned` log field value is equal to `true` , then the `entity.file.signature_info.sigcheck.verified` UDM field is set to `TRUE` . Else, the `entity.file.signature_info.sigcheck.verified` UDM field is set to `FALSE` .
`properties.DeviceName`	`entity.asset.hostname`
`properties.CertificateCountersignatureTime`	`additional.fields[certificate_countersignature_time]`
`properties.CertificateSerialNumber`	`entity.file.signature_info.sigcheck.x509.serial_number`
`properties.CertificateCreationTime`	`additional.fields[certification_creation_time]`
`properties.CertificateExpirationTime`	`additional.fields[certification_expiration_time]`
`properties.CrlDistributionPointUrls`	`additional.fields[crl_distribution_point_urls]`
`properties.IsRootSignerMicrosoft`	`additional.fields[is_root_signer_microsoft]`
`properties.IsTrusted`	`additional.fields[is_trusted]`
`properties.IssuerHash`	`additional.fields[issuer_hash]`
`properties.SignatureType`	`additional.fields[signature_type]`
`properties.SignerHash`	`additional.fields[signer_hash]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceImageLoadEvents

The following table lists the log fields for the DeviceImageLoadEvents log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.InitiatingProcessSessionId`	`additional.fields[initiating_process_session_id]`
`properties.IsInitiatingProcessRemoteSession`	`additional.fields[is_initiating_process_remote_session]`
`properties.InitiatingProcessRemoteSessionDeviceName`	`src.hostname`
`properties.InitiatingProcessRemoteSessionIP`	`src.ip`
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `PROCESS_MODULE_LOAD` .
`properties.ReportId`	`metadata.product_log_id`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`principal.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{principal.DeviceId}` .
`properties.DeviceName`	`principal.hostname`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}` .
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3` .
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.FolderPath`	`target.process.file.full_path`	If the `properties.FolderPath` log field value matches the regular expression pattern the `properties.FileName` , then the `properties.FolderPath` log field is mapped to the `target.process.file.full_path` UDM field. Else, the `target.process.file.full_path` is set to `%{properties.FolderPath}/%{properties.FileName}` .
`properties.MD5`	`target.process.file.md5`	If the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.MD5` log field is mapped to the `target.process.file.md5` UDM field.
`properties.FileName`	`target.process.file.names`
`properties.SHA1`	`target.process.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.SHA1` log field is mapped to the `target.process.file.sha1` UDM field.
`properties.SHA256`	`target.process.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.SHA256` log field is mapped to the `target.process.file.sha256` UDM field.
`properties.FileSize`	`target.process.file.size`
`properties.FolderPath`	`target.file.full_path`	If the `properties.FolderPath` log field value matches the regular expression pattern the `properties.FileName` , then the `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, the `target.file.full_path` is set to `%{properties.FolderPath}/%{properties.FileName}` .
`properties.MD5`	`target.file.md5`	If the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.MD5` log field is mapped to the `target.process.file.md5` UDM field.
`properties.FileName`	`target.file.names`
`properties.SHA1`	`target.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileEvents

The following table lists the log fields for the DeviceFileEvents log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.InitiatingProcessSessionId`	`additional.fields[initiating_process_session_id]`
`properties.IsInitiatingProcessRemoteSession`	`additional.fields[is_initiating_process_remote_session]`
`properties.InitiatingProcessRemoteSessionDeviceName`	`additional.fields[initiating_process_remote_session_device_name]`
`properties.InitiatingProcessRemoteSessionIP`	`additional.fields[initiating_process_remote_session_ip]`
`properties.Timestamp`	`metadata.event_timestamp`
`properties.ActionType`	`metadata.event_type`	If the `properties.ActionType` log field value is equal to `FileCreated` , then the `metadata.event_type` UDM field is set to `FILE_CREATION` . Else, if the `properties.ActionType` log field value is equal to `FileDeleted` , then the `metadata.event_type` UDM field is set to `FILE_DELETION` . Else, if the `properties.ActionType` log field value is equal to `FileModified` , then the `metadata.event_type` UDM field is set to `FILE_MODIFICATION` . Else, if the `properties.ActionType` log field value is equal to `FileRenamed` , then the `metadata.event_type` UDM field is set to `FILE_MOVE` .
`properties.ReportId`	`metadata.product_log_id`
`properties.RequestProtocol`	`network.application_protocol`	If the `properties.RequestProtocol` log field value is equal to `SMB` , then the `network.application_protocol` UDM field is set to `SMB` . Else, if the `properties.RequestProtocol` log field value is equal to `NFS` , then the `network.application_protocol` UDM field is set to `NFS` . Else, if the `properties.RequestProtocol` log field value is equal to `Local` , then the `network.application_protocol` UDM field is set to `UNKNOWN_APPLICATION_PROTOCOL` .
`properties.FileOriginReferrerUrl`	`network.http.referral_url`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`	If the `properties.InitiatingProcessAccountDomain` log field value is not empty, then the `properties.InitiatingProcessAccountDomain` log field is mapped to the `principal.administrative_domain` UDM field.
`properties.RequestAccountDomain`	`principal.administrative_domain`	If the `properties.InitiatingProcessAccountDomain` log field value is empty, then the `properties.RequestAccountDomain` log field is mapped to the `principal.administrative_domain` UDM field.
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.DeviceName`	`principal.hostname`
`properties.FileOriginIP`	`src.ip`
`properties.RequestSourceIP`	`src.ip`
`properties.RequestSourcePort`	`src.port`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}` .
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3` .
`properties.FileOriginUrl`	`src.url`
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`	If the `properties.InitiatingProcessAccountName` log field value is not empty, then the `properties.InitiatingProcessAccountName` log field is mapped to the `principal.user.userid` UDM field.
`properties.RequestAccountName`	`principal.user.userid`	If the `properties.InitiatingProcessAccountName` log field value is empty, then the `properties.RequestAccountName` log field is mapped to the `principal.user.userid` UDM field.
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`	If the `properties.InitiatingProcessAccountSid` log field value is not empty, then the `properties.InitiatingProcessAccountSid` log field is mapped to the `principal.user.windows_sid` UDM field.
`properties.RequestAccountSid`	`principal.user.windows_sid`	If the `properties.InitiatingProcessAccountSid` log field value is empty, then the `properties.RequestAccountSid` log field is mapped to the `principal.user.windows_sid` UDM field.
`properties.PreviousFolderPath`	`src.file.full_path`	If the `properties.PreviousFolderPath` log field value matches the regular expression pattern the `properties.PreviousFileName` log field value, then the `properties.PreviousFolderPath` log field is mapped to the `src.file.full_path` UDM field. Else, `src.file.full_path` set to the `%{properties.PreviousFolderPath}/%{properties.PreviousFileName}` .
`properties.PreviousFileName`	`src.file.names`
`properties.FolderPath`	`target.file.full_path`	If the `properties.FolderPath` log field value matches the regular expression pattern the `properties.FileName` log field value, then the `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, the `target.file.full_path` set to `%{properties.FolderPath}/%{properties.FileName}` .
`properties.MD5`	`target.file.md5`	If the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.MD5` log field is mapped to the `target.file.md5` UDM field.
`properties.FileName`	`target.file.names`
`properties.SHA1`	`target.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`
`properties.SensitivityLabel`	`target.file.tags`
`properties.SensitivitySubLabel`	`target.file.tags`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.IsAzureInfoProtectionApplied`	`additional.fields[is_azure_info_protection_applied]`
`properties.ShareName`	`additional.fields[share_name]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceInfo

The following table lists the log fields for the DeviceInfo log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.AzureResourceId`	`entity.asset.attribute.labels[azure_resource_id]`
`properties.AwsResourceName`	`entity.asset.attribute.labels[aws_resource_name]`
`properties.GcpFullResourceName`	`entity.asset.attribute.labels[gcp_full_resource_name]`
`properties.HardwareUuid`	`entity.asset.hardware.serial_number`
`properties.AzureVmId`	`entity.asset.attribute.labels[azure_vm_id]`
`properties.AzureVmSubscriptionId`	`entity.asset.attribute.labels[azure_vm_subscription_id]`
`properties.IsTransient`	`entity.asset.attribute.labels[is_transient]`
`properties.OsBuildRevision`	`entity.asset.attribute.labels[os_build_revision]`
`properties.MitigationStatus`	`entity.asset.attribute.labels[mitigation_status]`
`properties.Site`	`entity.asset.location.name`
`properties.DiscoverySources`	`entity.asset.attribute.labels[discovery_sources]`
`properties.CloudPlatforms`	`entity.asset.attribute.cloud.environment`	If the `properties.CloudPlatforms` log field value matches the regular expression pattern `/(?i)Amazon Web Services/` , then the `entity.asset.attribute.cloud.environment` UDM field is set to `AMAZON_WEB_SERVICES` . Else, if the `properties.CloudPlatforms` log field value matches the regular expression pattern `/(?i)Google Cloud Platform/` , then the `entity.asset.attribute.cloud.environment` UDM field is set to `GOOGLE_CLOUD_PLATFORM` . Else, if the `properties.CloudPlatforms` log field value matches one of the regular expression patterns `/(?i)Azure/` or `/(?i)Azure Arc/` , then the `entity.asset.attribute.cloud.environment` UDM field is set to `MICROSOFT_AZURE` .
`properties.DeviceId`	`entity.asset_id`	The `entity.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.DeviceId`	`entity.asset.asset_id`	The `entity.asset.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.AadDeviceId`	`entity.asset.attribute.labels[aad_device_id]`
`properties.AdditionalFields`	`entity.asset.attribute.labels[additional_fields]`
`properties.ConnectivityType`	`entity.asset.attribute.labels[connectivity_type]`
`properties.DeviceDynamicTags`	`entity.asset.attribute.labels[device_dynamic_tags]`
`properties.DeviceManualTags`	`entity.asset.attribute.labels[device_manual_tags]`
`properties.DeviceSubtype`	`entity.asset.attribute.labels[device_subtype]`
`properties.HostDeviceId`	`entity.asset.attribute.labels[host_device_id]`
`properties.IsAzureADJoined`	`entity.asset.attribute.labels[is_azure_ad_joined]`
`properties.IsInternetFacing`	`entity.asset.attribute.labels[is_internet_facing]`
`properties.JoinType`	`entity.asset.attribute.labels[join_type]`
`properties.MergedDeviceIds`	`entity.asset.attribute.labels[merged_device_ids]`
`properties.MergedToDeviceId`	`entity.asset.attribute.labels[merged_to_device_id]`
`properties.OnboardingStatus`	`entity.asset.attribute.labels[onboarding_status]`
`properties.OSArchitecture`	`entity.asset.attribute.labels[os_architecture]`
`properties.OSDistribution`	`entity.asset.attribute.labels[os_distribution]`
`properties.OSVersionInfo`	`entity.asset.attribute.labels[os_version_info]`
`properties.RegistryDeviceTag`	`entity.asset.attribute.labels[registry_divice_tag]`
`properties.ReportId`	`entity.asset.attribute.labels[report_id]`
`properties.SensorHealthState`	`entity.asset.attribute.labels[sensor_health_state]`
`properties.DeviceCategory`	`entity.asset.category`
`properties.Vendor`	`entity.asset.hardware.manufacturer`
`properties.Model`	`entity.asset.hardware.model`
`properties.DeviceName`	`entity.asset.hostname`
`properties.PublicIP`	`entity.asset.nat_ip`
`properties.OSBuild`	`entity.asset.platform_software.plateform_patch_level`
`properties.OSPlatform`	`entity.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos` , then the `entity.asset.platform_software.platform` UDM field is set to `MAC` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows` , then the `entity.asset.platform_software.platform` UDM field is set to `WINDOWS` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux` , then the `entity.asset.platform_software.platform` UDM field is set to `LINUX` .
`properties.OSVersion`	`entity.asset.platform_software.platform_version`
`properties.ClientVersion`	`entity.asset.software.version`
`properties.DeviceType`	`entity.asset.type`	If the `properties.DeviceType` log field value is equal to `NetworkDevice` , then the `entity.asset.type` UDM field is set to `NETWORK_ATTACHED_STORAGE` . Else, if the `properties.DeviceType` log field value is equal to `Workstation` , then the `entity.asset.type` UDM field is set to `WORKSTATION` . Else, if the `properties.DeviceType` log field value is equal to `Server` , then the `entity.asset.type` UDM field is set to `SERVER` . Else, if the `properties.DeviceType` log field value is equal to `Mobile` , then the `entity.asset.type` UDM field is set to `MOBILE` . Else if the `properties.DeviceType` log field value is equal to `Printer` , then the `entity.asset.type` UDM field is set to `PRINTER` . Else, the `entity.asset.type` UDM field is set to `ROLE_UNSPECIFIED` and `properties.DeviceType` is mapped to `entity.asset.attribute.labels[device_type]` .
`properties.MachineGroup`	`entity.group.group_display_name`
`properties.ExclusionReason`	`entity.security_result.detection_fields[exclusion_reason]`
`properties.ExposureLevel`	`entity.security_result.detection_fields[exposure_level]`
`properties.IsExcluded`	`entity.security_result.detection_fields[is_excluded]`
`properties.AssetValue`	`entity.security_result.priority`	If the `properties.AssetValue` log field value is equal to `High` , then the `entity.security_result.priority` UDM field is set to `HIGH_PRIORITY` . Else, if the `properties.AssetValue` log field value is equal to `Medium` , then the `entity.security_result.priority` UDM field is set to `MEDIUM_PRIORITY` . Else, if the `properties.AssetValue` log field value is equal to `Low` , then the `entity.security_result.priority` UDM field is set to `LOW_PRIORITY` . Else, the `properties.AssetValue` log field is mapped to the `entity.security_result.detection_fields.asset_value` UDM field.
`properties.Timestamp`	`metadata.creation_timestamp`
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `ASSET` .
`properties.DeviceId`	`metadata.product_entity_id`	The `metadata.product_entity_id` is set to `DeviceID:%{properties.DeviceId}` .
	`relations.direction`	The `relations.direction` UDM field is set to `UNIDIRECTIONAL` .
	`relations.entity_type`	The `relations.entity_type` UDM field is set to `USER` .
	`relations.relationship`	The `relations.relationship` UDM field is set to `MEMBER` .
`properties.LoggedOnUsers.DomainName`	`relations.entity.domain.name`
`properties.LoggedOnUsers.UserName`	`relations.entity.user.userid`
`properties.LoggedOnUsers.Sid`	`relations.entity.user.windows_sid`
`properties.LoggedOnUsers`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - IdentityLogonEvents

The following table lists the log fields for the IdentityLogonEvents log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.ActionType`	`security_result.action`	If the `properties.ActionType` log field value matches the regular expression pattern `(?i)LogonSuccess` , then the `security_result.action` UDM field is set to `ALLOW` . Else if the `properties.ActionType` log field value matches the regular expression pattern `(?i)LogonBlocked` , then the `security_result.action` UDM field is set to `BLOCK` . Else if the `properties.ActionType` log field value matches the regular expression pattern `(?i)LogonFailed` , then the `security_result.action` UDM field is set to `FAIL` . Else, the `security_result.action` UDM field is set to `UNKNOWN_ACTION` .
`properties.LogonType`	`extensions.auth.mechanism`	If the `properties.LogonType` log field value is equal to `Interactive` , then the `extensions.auth.mechanism` UDM field is set to `INTERACTIVE` . Else, if the `properties.LogonType` log field value is equal to `Network` , then the `extensions.auth.mechanism` UDM field is set to `NETWORK` . Else, if the `properties.LogonType` log field value is equal to `Batch` , then the `extensions.auth.mechanism` UDM field is set to `BATCH` . Else, if the `properties.LogonType` log field value is equal to `Service` , then the `extensions.auth.mechanism` UDM field is set to `SERVICE` . Else, if the `properties.LogonType` log field value is equal to `RemoteInteractive` , then the `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE` . Else, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_UNSPECIFIED` and `properties.LogonType` is mapped to `additional.fields[logon_type]` .
`properties.Protocol`	`network.ip_protocol`	If the `properties.Protocol` log field value is equal to `Tcp` , then the `network.ip_protocol` UDM field is set to `TCP` . Else, if the `properties.Protocol` log field value is equal to `Udp` , then the `network.ip_protocol` UDM field is set to `UDP` . Else, if the `properties.Protocol` log field value is equal to `Icmp` , then the `network.ip_protocol` UDM field is set to `ICMP` . Else, the `network.ip_protocol` UDM field is set to `UNKNOWN_IP_PROTOCOL` and `properties.Protocol` is mapped to `additional.fields[network_protocol]` .
`properties.AccountDisplayName`	`principal.user.user_display_name`
`properties.Location`	`principal.location.name`
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos` , then the `principal.asset.platform_software.platform` UDM field is set to `MAC` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows` , then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux` , then the `principal.asset.platform_software.platform` UDM field is set to `LINUX` .
`properties.OSPlatform`	`principal.asset.platform_software.platform_version`
`properties.DeviceType`	`principal.asset.type`	If the `properties.DeviceType` log field value is equal to `NetworkDevice` , then the `principal.asset.type` UDM field is set to `NETWORK_ATTACHED_STORAGE` . Else, if the `properties.DeviceType` log field value is equal to `Workstation` , then the `principal.asset.type` UDM field is set to `WORKSTATION` . Else, if the `properties.DeviceType` log field value is equal to `Server` , then the `principal.asset.type` UDM field is set to `SERVER` . Else, if the `properties.DeviceType` log field value is equal to `Mobile` , then the `principal.asset.type` UDM field is set to `MOBILE` . Else if the `properties.DeviceType` log field value is equal to `Printer` , then the `principal.asset.type` UDM field is set to `PRINTER` . Else, the `principal.asset.type` UDM field is set to `ROLE_UNSPECIFIED` and `properties.DeviceType` is mapped to `principal.asset.attribute.labels[device_type]` .
`properties.ISP`	`network.carrier_name`
`properties.DestinationDeviceName`	`intermediary.hostname`
`properties.TargetDeviceName`	`target.hostname`
`properties.FailureReason`	`security_result.description`
`properties.Port`	`principal.port`
`properties.DestinationPort`	`intermediary.port`
`properties.DestinationIPAddress`	`intermediary.ip`
`properties.TargetAccountDisplayName`	`target.user.user_display_name`
`properties.Application`	`principal.application`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN` .
`properties.DeviceName`	`principal.hostname`	If the `properties.DeviceName` log field value is not empty, then the `properties.DeviceName` log field is mapped to the `principal.hostname` UDM field.
`properties.IPAddress`	`principal.ip`	If the `properties.IPAddress` log field value is not empty, then the `properties.IPAddress` log field is mapped to the `principal.asset.ip` UDM field.
`properties.AccountDomain`	`principal.administrative_domain`
`properties.AdditionalFields`	`additional.fields[additionalfields]`
`properties.AccountObjectId`	`principal.user.product_object_id`
`properties.AccountUpn`	`principal.user.email_addresses`
`properties.AccountName`	`principal.user.userid`
`properties.AccountSid`	`principal.user.windows_sid`
`properties.Timestamp`	`metadata.event_timestamp`
`properties.ReportId`	`metadata.product_log_id`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceLogonEvents

The following table lists the log fields for the DeviceLogonEvents log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.InitiatingProcessSessionId`	`additional.fields[initiating_process_session_id]`
`properties.IsInitiatingProcessRemoteSession`	`additional.fields[is_initiating_process_remote_session]`
`properties.InitiatingProcessRemoteSessionDeviceName`	`src.hostname`
`properties.InitiatingProcessRemoteSessionIP`	`src.ip`
`properties.LogonType`	`extensions.auth.mechanism`	If the `properties.LogonType` log field value is equal to `Interactive` , then the `extensions.auth.mechanism` UDM field is set to `INTERACTIVE` . Else, if the `properties.LogonType` log field value is equal to `Network` , then the `extensions.auth.mechanism` UDM field is set to `NETWORK` . Else, if the `properties.LogonType` log field value is equal to `Batch` , then the `extensions.auth.mechanism` UDM field is set to `BATCH` . Else, if the `properties.LogonType` log field value is equal to `Service` , then the `extensions.auth.mechanism` UDM field is set to `SERVICE` . Else, if the `properties.LogonType` log field value is equal to `CachedInteractive` , then the `extensions.auth.mechanism` UDM field is set to `CACHED_INTERACTIVE` . Else, if the `properties.LogonType` log field value is equal to `CachedRemoteInteractive` , then the `extensions.auth.mechanism` UDM field is set to `CACHED_REMOTE_INTERACTIVE` . Else, if the `properties.LogonType` log field value is equal to `NetworkCleartext` , then the `extensions.auth.mechanism` UDM field is set to `NETWORK_CLEAR_TEXT` . Else, if the `properties.LogonType` log field value is equal to `NewCredentials` , then the `extensions.auth.mechanism` UDM field is set to `NEW_CREDENTIALS` . Else, if the `properties.LogonType` log field value is equal to `Local` , then the `extensions.auth.mechanism` UDM field is set to `LOCAL` . Else, if the `properties.LogonType` log field value is equal to `Unlock` , then the `extensions.auth.mechanism` UDM field is set to `UNLOCK` . Else, if the `properties.LogonType` log field value is equal to `RemoteInteractive` , then the `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE` . Else, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_UNSPECIFIED` .
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN` .
`properties.ReportId`	`metadata.product_log_id`
`properties.Protocol`	`network.ip_protocol`	If the `properties.Protocol` log field value is equal to `Tcp` , then the `network.ip_protocol` UDM field is set to `TCP` . If the `properties.Protocol` log field value is equal to `Udp` , then the `network.ip_protocol` UDM field is set to `UDP` . If the `properties.Protocol` log field value is equal to `Icmp` , then the `network.ip_protocol` UDM field is set to `ICMP` .
`properties.LogonId`	`extensions.auth.auth_details`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`properties.DeviceId`	`target.asset_id`	The `target.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.DeviceName`	`target.hostname`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}` .
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3` .
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.FailureReason`	`security_result.description`
`properties.AccountDomain`	`target.administrative_domain`
`properties.RemoteDeviceName`	`principal.hostname`
`properties.RemoteIP`	`principal.ip`
`properties.RemotePort`	`principal.port`
`properties.IsLocalAdmin`	`target.resource.attribute.labels[is_local_admin]`
`properties.AccountName`	`target.user.userid`
`properties.AccountSid`	`target.user.windows_sid`
`properties.RemoteIPType`	`additional.fields[remote_ip_type]`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkEvents

The following table lists the log fields for the DeviceNetworkEvents log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.ActionType`	`security_result.summary`
`properties.InitiatingProcessSessionId`	`additional.fields[initiating_process_session_id]`
`properties.IsInitiatingProcessRemoteSession`	`additional.fields[is_initiating_process_remote_session]`
`properties.InitiatingProcessRemoteSessionDeviceName`	`src.hostname`
`properties.InitiatingProcessRemoteSessionIP`	`src.ip`
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION` .
`properties.ReportId`	`metadata.product_log_id`
`properties.Protocol`	`network.ip_protocol`	If the `properties.Protocol` log field value is equal to `Tcp` , then the `network.ip_protocol` UDM field is set to `TCP` . Else, if the `properties.Protocol` log field value is equal to `Udp` , then the `network.ip_protocol` UDM field is set to `UDP` . Else, if the `properties.Protocol` log field value is equal to `Icmp` , then the `network.ip_protocol` UDM field is set to `ICMP` .
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.DeviceName`	`principal.hostname`
`properties.LocalIP`	`principal.ip`
`properties.LocalPort`	`principal.port`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}` .
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3` .
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.RemoteIP`	`target.ip`
`properties.RemotePort`	`target.port`
`properties.RemoteUrl`	`target.url`
`properties.LocalIPType`	`additional_fields[LocalIPType]`
`properties.RemoteIPType`	`additional_fields[RemoteIPType]`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceNetworkInfo

The following table lists the log fields for the DeviceNetworkInfo log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.NetworkAdapterDnsSuffix`	`entity.asset.attribute.labels[network_adapter_dns_suffix]`
`properties.OnboardingStatus`	`entity.asset.attribute.labels[onboarding_status]`
`properties.DeviceId`	`entity.asset_id`	The `entity.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.DeviceId`	`entity.asset.asset_id`	The `entity.asset.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.ReportId`	`entity.asset.attribute.labels[report_id]`
`properties.ConnectedNetworks`	`entity.asset.attribute.labels[connected_networks]`
`properties.MacAddress`	`entity.asset.mac`
`properties.NetworkAdapterName`	`entity.asset.attribute.labels[network_adapter_name]`
`properties.NetworkAdapterStatus`	`entity.asset.attribute.labels[network_adapter_status]`
`properties.NetworkAdapterType`	`entity.asset.attribute.labels[network_adapter_type]`
`properties.NetworkAdapterVendor`	`entity.asset.attribute.labels[network_adapter_vendor]`
`properties.TunnelType`	`entity.asset.attribute.labels[tunnel_type]`
`properties.DefaultGateways`	`entity.asset.attribute.labels[default_gateways]`
`properties.DeviceName`	`entity.asset.hostname`
`properties.IPAddresses`	`entity.asset.ip`
	`entity.asset.type`	The `entity.asset.type` UDM field is set to `WORKSTATION` .
`properties.DnsAddresses`	`entity.domain.last_dns_records.type`	The `entity.domain.last_dns_records.type` UDM field is set to `ip_address` .
`properties.DnsAddresses`	`entity.domain.last_dns_records.value`	The `properties.DnsAddresses` log field is mapped to the `entity.domain.last_dns_records.value` UDM field.
`properties.IPv4Dhcp`	`entity.network.dhcp.ciaddr`	If the `properties.IPv4Dhcp` log field value is not empty, then the `properties.IPv4Dhcp` log field is mapped to the `entity.network.dhcp.ciaddr` UDM field. Else, the `properties.IPv6Dhcp` log field is mapped to the `entity.network.dhcp.ciaddr` UDM field.
`properties.Timestamp`	`metadata.creation_time`
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `ASSET` .
`properties.DeviceId`	`metadata.product_entity_id`	The `metadata.product_entity_id` is set to `DeviceID:%{properties.DeviceId}` .

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceProcessEvents

The following table lists the log fields for the DeviceProcessEvents log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.InitiatingProcessSessionId`	`additional.fields[initiating_process_session_id]`
`properties.IsInitiatingProcessRemoteSession`	`additional.fields[is_initiating_process_remote_session]`
`properties.InitiatingProcessRemoteSessionDeviceName`	`src.hostname`	If `properties.InitiatingProcessRemoteSessionDeviceName` log field is not empty, then `properties.InitiatingProcessRemoteSessionDeviceName` log field is mapped to `src.hostname` UDM field.
`properties.ProcessRemoteSessionDeviceName`	`src.hostname`	If `properties.InitiatingProcessRemoteSessionDeviceName` log field is empty, then `properties.ProcessRemoteSessionDeviceName` log field is mapped to `src.hostname` UDM field.
`properties.InitiatingProcessRemoteSessionIP`	`src.ip`
`properties.ProcessRemoteSessionIP`	`src.ip`
`properties.CreatedProcessSessionId`	`additional.fields[created_process_session_id]`
`properties.IsProcessRemoteSession`	`additional.fields[is_process_remote_session]`
`properties.Timestamp`	`metadata.event_timestamp`
`properties.ActionType`	`metadata.event_type`	If the `properties.ActionType` log field value matches the regular expression pattern `(?i)ProcessCreated` , then the `metadata.event_type` UDM field is set to `PROCESS_LAUNCH` . Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)OpenProcess` , then the `metadata.event_type` UDM field is set to `PROCESS_OPEN` .
`properties.ReportId`	`metadata.product_log_id`
`properties.LogonId`	`network.session_id`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.DeviceName`	`principal.hostname`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}` .
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessSignatureStatus`	`principal.process.file.signature_info.sigcheck.signers.status`
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3`
`properties.InitiatingProcessAccountObjectId`	`principal.user.product_object_id`
`properties.InitiatingProcessAccountUpn`	`principal.user.user_display_name`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.AccountDomain`	`target.administrative_domain`
`properties.FolderPath`	`target.file.full_path`	If the `properties.FolderPath` log field value matches the regular expression pattern the `properties.FileName` log field value, then the `properties.FolderPath` log field is mapped to the `target.file.full_path` UDM field. Else, the `target.file.full_path` set to `%{properties.FolderPath}/%{properties.FileName}` .
`properties.MD5`	`target.process.file.md5`	If the `properties.MD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.MD5` log field is mapped to the `target.file.md5` UDM field.
`properties.FileName`	`target.process.file.names`
`properties.SHA1`	`target.process.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.SHA1` log field is mapped to the `target.file.sha1` UDM field.
`properties.SHA256`	`target.process.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.process.file.size`
`properties.ProcessCommandLine`	`target.process.command_line`
`properties.ProcessId`	`target.process.pid`
`properties.ProcessTokenElevation`	`target.process.token_elevation_type`	If the `properties.ProcessTokenElevation` log field value is equal to `TokenElevationTypeFull` , then the `target.process.token_elevation_type` UDM field is set to `TYPE_1` . Else, if the `properties.ProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault` , then the `target.process.token_elevation_type` UDM field is set to `TYPE_2` . Else, if the `properties.ProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited` , then the `target.process.token_elevation_type` UDM field is set to `TYPE_3` .
`properties.ProcessIntegrityLevel`	`target.resource.attribute.labels[process_integrity_level]`
`properties.AccountUpn`	`target.user.user_display_name`
`properties.AccountName`	`target.user.userid`
`properties.AccountSid`	`target.user.windows_sid`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.AccountObjectId`	`additional.fields[account_object_id]`
`properties.AdditionalFields`	`additional.fields[additional_fields]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessLogonId`	`additional.fields[initiating_process_logon_id]`
`properties.InitiatingProcessSignerType`	`additional.fields[initiating_process_signer_type]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`
`properties.ProcessCreationTime`	`additional.fields[process_creation_time]`
`properties.ProcessVersionInfoCompanyName`	`target.process.file.exif_info.company`
`properties.ProcessVersionInfoFileDescription`	`target.process.file.exif_info.file_description`
`properties.ProcessVersionInfoInternalFileName`	`additional.fields[process_version_info_internal_file_name]`
`properties.ProcessVersionInfoOriginalFileName`	`target.process.file.exif_info.original_file`
`properties.ProcessVersionInfoProductName`	`target.process.file.exif_info.product`
`properties.ProcessVersionInfoProductVersion`	`additional.fields[process_version_info_product_version]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGathering

The following table lists the log fields for the DeviceTvmInfoGathering log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_HOST` .
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos` , then the `principal.asset.platform_software.platform` UDM field is set to `MAC` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows` , then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux` , then the `principal.asset.platform_software.platform` UDM field is set to `LINUX` .
`properties.OSPlatform`	`principal.asset.platform_software.platform_version`
`properties.DeviceName`	`principal.hostname`
`properties.LastSeenTime`	`principal.asset.last_discover_time`
`properties.AdditionalFields`	`additional.fields[additional_fields]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceRegistryEvents

The following table lists the log fields for the DeviceRegistryEvents log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.InitiatingProcessSessionId`	`additional.fields[initiating_process_session_id]`
`properties.IsInitiatingProcessRemoteSession`	`additional.fields[is_initiating_process_remote_session]`
`properties.InitiatingProcessRemoteSessionDeviceName`	`src.hostname`
`properties.InitiatingProcessRemoteSessionIP`	`src.ip`
`properties.Timestamp`	`metadata.event_timestamp`
`properties.ActionType`	`metadata.event_type`	If the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryKeyCreated` , then the `metadata.event_type` UDM field is set to `REGISTRY_CREATION` . Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryKeyDeleted` , then the `metadata.event_type` UDM field is set to `REGISTRY_DELETION` . Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryKeyRenamed` , then the `metadata.event_type` UDM field is set to `REGISTRY_MODIFICATION` . Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryValueDeleted` , then the `metadata.event_type` UDM field is set to `REGISTRY_DELETION` . Else, if the `properties.ActionType` log field value matches the regular expression pattern `(?i)RegistryValueSet` , then the `metadata.event_type` UDM field is set to `REGISTRY_MODIFICATION` . Else, the `metadata.event_type` UDM field is set to `REGISTRY_UNCATEGORIZED` .
`properties.ReportId`	`metadata.product_log_id`
`properties.InitiatingProcessAccountDomain`	`principal.administrative_domain`
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.DeviceName`	`principal.hostname`
`properties.InitiatingProcessCommandLine`	`principal.process.command_line`
`properties.InitiatingProcessFolderPath`	`principal.process.file.full_path`	If the `properties.InitiatingProcessFolderPath` log field value matches the regular expression pattern the `properties.InitiatingProcessFileName` log field value, then the `properties.InitiatingProcessFolderPath` log field is mapped to the `principal.process.file.full_path` UDM field. Else, the `principal.process.file.full_path` is set to `%{properties.InitiatingProcessFolderPath}/%{properties.InitiatingProcessFileName}` .
`properties.InitiatingProcessMD5`	`principal.process.file.md5`	If the `properties.InitiatingProcessMD5` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessMD5` log field is mapped to the `principal.process.file.md5` UDM field.
`properties.InitiatingProcessFileName`	`principal.process.file.names`
`properties.InitiatingProcessSHA1`	`principal.process.file.sha1`	If the `properties.InitiatingProcessSHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.InitiatingProcessSHA1` log field is mapped to the `principal.process.file.sha1` UDM field.
`properties.InitiatingProcessSHA256`	`principal.process.file.sha256`	If the `properties.InitiatingProcessSHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.InitiatingProcessSHA256` log field is mapped to the `principal.process.file.sha256` UDM field.
`properties.InitiatingProcessFileSize`	`principal.process.file.size`
`properties.InitiatingProcessParentFileName`	`principal.process.parent_process.file.names`
`properties.InitiatingProcessParentId`	`principal.process.parent_process.pid`
`properties.InitiatingProcessId`	`principal.process.pid`
`properties.PreviousRegistryValueData`	`src.registry.registry_value_data`
`properties.PreviousRegistryKey`	`src.registry.registry_key`
`properties.PreviousRegistryValueName`	`src.registry.registry_value_name`
`properties.InitiatingProcessAccountObjectId`	`principal.user.attribute.labels[initiating_process_account_object_id]`
`properties.InitiatingProcessAccountUpn`	`principal.user.attribute.labels[initiating_process_account_upn]`
`properties.InitiatingProcessAccountName`	`principal.user.userid`
`properties.InitiatingProcessAccountSid`	`principal.user.windows_sid`
`properties.InitiatingProcessTokenElevation`	`principal.process.token_elevation_type`	If the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeFull` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_1` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeDefault` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_2` . Else, if the `properties.InitiatingProcessTokenElevation` log field value is equal to `TokenElevationTypeLimited` , then the `principal.process.token_elevation_type` UDM field is set to `TYPE_3` .
`properties.RegistryValueData`	`target.registry.registry_value_data`
`properties.RegistryKey`	`target.registry.registry_key`
`properties.RegistryValueName`	`target.registry.registry_value_name`
`properties.InitiatingProcessCreationTime`	`additional.fields[initiating_process_creation_time]`
`properties.InitiatingProcessIntegrityLevel`	`additional.fields[initiating_process_integrity_level]`
`properties.InitiatingProcessParentCreationTime`	`additional.fields[initiating_process_parent_creation_time]`
`properties.AppGuardContainerId`	`additional.fields[app_guard_container_id]`
`properties.InitiatingProcessVersionInfoCompanyName`	`principal.process.file.exif_info.company`
`properties.InitiatingProcessVersionInfoFileDescription`	`principal.process.file.exif_info.file_description`
`properties.InitiatingProcessVersionInfoInternalFileName`	`additional.fields[initiating_process_version_info_internal_file_name]`
`properties.InitiatingProcessVersionInfoOriginalFileName`	`principal.process.file.exif_info.original_file`
`properties.InitiatingProcessVersionInfoProductName`	`principal.process.file.exif_info.product`
`properties.InitiatingProcessVersionInfoProductVersion`	`additional.fields[initiating_process_version_info_product_version]`
`properties.RegistryValueType`	`additional.fields[registry_value_type]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGatheringKB

The following table lists the log fields for the DeviceTvmInfoGatheringKB log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.Description`	`metadata.description`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT` .
`properties.IgId`	`metadata.product_log_id`
`properties.Categories`	`principal.resource.attribute.labels[categories]`
`properties.DataStructure`	`principal.resource.attribute.labels[data_structure]`
`properties.FieldName`	`principal.resource.name`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessment

The following table lists the log fields for the DeviceTvmSecureConfigurationAssessment log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_UNCATEGORIZED` .
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos` , then the `prinipal.asset.platform_software.platform` UDM field is set to `MAC` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows` , then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux` , then the `principal.asset.platform_software.platform` UDM field is set to `LINUX` .
`properties.DeviceName`	`principal.hostname`
`properties.ConfigurationCategory`	`principal.resource.attribute.labels[configuration_category]`
`properties.ConfigurationImpact`	`principal.resource.attribute.labels[configuration_impact]`
`properties.Context`	`principal.resource.attribute.labels[contex]`
`properties.IsApplicable`	`principal.resource.attribute.labels[is_applicable]`
`properties.IsCompliant`	`principal.resource.attribute.labels[is_compliant]`
`properties.IsExpectedUserImpact`	`principal.resource.attribute.labels[is_expected_user_impact]`
`properties.ConfigurationId`	`principal.resource.product_object_id`
`properties.ConfigurationSubcategory`	`principal.resource.resource_subtype`
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `ACCESS_POLICY` .

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSecureConfigurationAssessmentKB

The following table lists the log fields for the DeviceTvmSecureConfigurationAssessmentKB log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT` .
`properties.ConfigurationBenchmarks`	`principal.resource.attribute.labels[configuration_benchmarks]`
`properties.ConfigurationCategory`	`principal.resource.attribute.labels[configuration_category]`
`properties.ConfigurationDescription`	`principal.resource.attribute.labels[configuration_description]`
`properties.ConfigurationImpact`	`principal.resource.attribute.labels[configuration_impact]`
`properties.RemediationOptions`	`principal.resource.attribute.labels[remediation_options]`
`properties.RiskDescription`	`principal.resource.attribute.labels[risk_description]`
`properties.Tags`	`principal.resource.attribute.labels[tags]`
`properties.ConfigurationName`	`principal.resource.name`
`properties.ConfigurationId`	`principal.resource.product_object_id`
`properties.ConfigurationSubcategory`	`principal.resource.resource_subtype`
	`principal.resource.resource_type`	The `principal.resource.resource_type` UDM field is set to `ACCESS_POLICY` .

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareEvidenceBeta

The following table lists the log fields for the DeviceTvmSoftwareEvidenceBeta log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT` .
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.DiskPaths`	`principal.asset.attribute.labels[disk_paths]`	The `properties.DiskPaths` log field is mapped to the `principal.asset.attribute.labels.disk_paths` UDM field.
`properties.RegistryPaths`	`principal.asset.attribute.labels[registry_paths]`	The `properties.RegistryPaths` log field is mapped to the `principal.asset.attribute.labels.registry_paths` UDM field.
`properties.LastSeenTime`	`principal.asset.last_discover_time`
`properties.SoftwareName`	`principal.asset.software.name`
`properties.SoftwareVendor`	`principal.asset.software.vendor_name`
`properties.SoftwareVersion`	`principal.asset.software.version`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareInventory

The following table lists the log fields for the DeviceTvmSoftwareInventory log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT` .
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.EndOfSupportDate`	`principal.asset.attribute.labels[end_of_support_date]`
`properties.EndOfSupportStatus`	`principal.asset.attribute.labels[end_of_support_status]`
`properties.OSArchitecture`	`principal.asset.attribute.labels[os_architecture]`
`properties.ProductCodeCpe`	`principal.asset.attribute.labels[product_code_cpe]`
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos` , then the `prinipal.asset.platform_software.platform` UDM field is set to `MAC` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows` , then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux` , then the `principal.asset.platform_software.platform` UDM field is set to `LINUX` .
`properties.OSVersion`	`principal.asset.platform_software.platform_version`
`properties.SoftwareName`	`principal.asset.software.name`
`properties.SoftwareVendor`	`principal.asset.software.vendor_name`
`properties.SoftwareVersion`	`principal.asset.software.version`
`properties.DeviceName`	`principal.hostname`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilities

The following table lists the log fields for the DeviceTvmSoftwareVulnerabilities log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.CveId`	`extensions.vulns.vulnerabilities.cve_id`
`properties.VulnerabilityLevel`	`extensions.vulns.vulnerabilities.severity`	If the `properties.VulnerabilityLevel` log field value is equal to `High` , then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `HIGH` . Else, if the `properties.VulnerabilityLevel` log field value is equal to `Medium` , then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `MEDIUM` . Else, if the `properties.VulnerabilityLevel` log field value is equal to `Low` , then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `LOW` . Else, if the `properties.VulnerabilityLevel` log field value is equal to `Informational` , then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `INFORMATIONAL` .
`properties.SeverityLevel`	`extensions.vulns.vulnerablitities.severity_details`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_VULN_HOST` .
`properties.DeviceId`	`principal.asset_id`	The `principal.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos` , then the `principal.asset.platform_software.platform` UDM field is set to `MAC` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows` , then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux` , then the `principal.asset.platform_software.platform` UDM field is set to `LINUX` .
`properties.OSVersion`	`principal.asset.platform_software.platform_version`
`properties.SoftwareName`	`principal.asset.software.name`
`properties.SoftwareVendor`	`principal.asset.software.vendor_name`
`properties.SoftwareVersion`	`principal.asset.software.version`
`properties.DeviceName`	`principal.hostname`
`properties.RecommendedSecurityUpdateId`	`security_result.detection_fields[recommended_security_update_id]`
`properties.RecommendedSecurityUpdate`	`security_result.detection_fields[recommended_security_update]`
`properties.CveTags`	`additional.fields[cve_tags]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilitiesKB

The following table lists the log fields for the DeviceTvmSoftwareVulnerabilitiesKB log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT` .
`properties.CveId`	`extensions.vulns.vulnerabilities.cve_id`
`properties.CvssScore`	`extensions.vulns.vulnerablities.cvss_base_score`
`properties.IsExploitAvailable`	`additional.fields[is_exploit_available]`
`properties.VulnerabilitySeverityLevel`	`extensions.vulns.vulnerabilities.severity`	If the `properties.VulnerabilitySeverityLevel` log field value is equal to `High` , then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `HIGH` . Else, if the `properties.VulnerabilitySeverityLevel` log field value is equal to `Medium` , then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `MEDIUM` . Else, if the `properties.VulnerabilitySeverityLevel` log field value is equal to `Low` , then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `LOW` . Else, if the `properties.VulnerabilitySeverityLevel` log field value is equal to `Informational` , then the `extensions.vulns.vulnerabilities.severity` UDM field is set to `INFORMATIONAL` . Else, the `extensions.vulns.vulnerabilities.severity` UDM field is set to `UNKNOWN_SEVERITY` .
`properties.VulnerabilitySeverityLevel`	`extensions.vulns.vulnerablitities.severity_details`
`properties.LastModifiedTime`	`additional.fields[last_modified_time]`
`properties.PublishedDate`	`additional.fields[published_date]`
`properties.VulnerabilityDescription`	`extensions.vulns.vulnerabilities.cve_description`
`properties.AffectedSoftware`	`target.application`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailAttachmentInfo

The following table lists the log fields for the EmailAttachmentInfo log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.FileType`	`target.file.mime_type`
`properties.FileName`	`target.file.names`
`properties.SHA256`	`target.file.sha256`	If the `properties.SHA256` log field value matches the regular expression pattern `^[a-f0-9]{64}$` , then the `properties.SHA256` log field is mapped to the `target.file.sha256` UDM field.
`properties.FileSize`	`target.file.size`
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `EMAIL_TRANSACTION` .
`properties.ReportId`	`metadata.product_log_id`
`properties.SenderFromAddress`	`network.email.from`	If the `properties.SenderFromAddress` log field value matches the regular expression pattern `^.+@.+$` and the length of the value is 256 characters or less, then the `properties.SenderFromAddress` log field is mapped to the `network.email.from` UDM field. Else, the `additional.fields.key` UDM field is set to `SenderFromAddress` and the `properties.SenderFromAddress` log field value is mapped to the `additional.fields.value.string_value` UDM field.
`properties.SenderFromAddress`	`principal.user.email_addresses`
`properties.NetworkMessageId`	`network.email.mail_id`
`properties.RecipientEmailAddress`	`network.email.to`	If the `properties.RecipientEmailAddress` log field value matches the regular expression pattern `^.+@.+$` and the length of the value is 256 characters or less, then the `properties.RecipientEmailAddress` log field is mapped to the `network.email.to` UDM field. Else, the `additional.fields.key` UDM field is set to `RecipientEmailAddress` and the `properties.RecipientEmailAddress` log field value is mapped to the `additional.fields.value.string_value` UDM field.
`properties.RecipientEmailAddress`	`target.user.email_addresses`
`properties.SenderObjectId`	`principal.user.product_object_id`
`properties.SenderDisplayName`	`principal.user.user_display_name`
`properties.ThreatTypes`	`entity.security_result.category`	If the `properties.ThreatTypes` log field value is equal to `Phish` , then the `entity.security_result.category` UDM field is set to `MAIL_PHISHING` . Else, the `entity.security_result.category` UDM field is set to `UNKNOWN_CATEGORY`
`properties.ThreatTypes`	`security_result.category_details`
`properties.DetectionMethods`	`security_result.detection_fields[detection_methods]`
`properties.ThreatNames`	`security_result.threat_name`
`properties.RecipientObjectId`	`target.user.product_object_id`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailEvents

The following table lists the log fields for the EmailEvents log type and their corresponding UDM fields:

Log field

UDM mapping

Logic

properties.Timestamp

metadata.event_timestamp

metadata.event_type

The metadata.event_type UDM field is set to EMAIL_TRANSACTION .

properties.ReportId

metadata.product_log_id

properties.EmailDirection

network.direction

If the properties.EmailDirection log field value is equal to Inbound , then the network.direction UDM field is set to INBOUND .

Else, if the properties.EmailDirection log field value is equal to Outbound , then the network.direction UDM field is set to OUTBOUND .

Else, the network.direction UDM field is set to UNKNOWN_DIRECTION .

properties.NetworkMessageId

network.email.mail_id

properties.Subject

network.email.subject

properties.RecipientEmailAddress

network.email.to

properties.SenderFromDomain

principal.administrative_domain

properties.SenderIPv4

principal.ip

properties.SenderIPv6

principal.ip

properties.SenderMailFromAddress

network.email.reply_to

properties.SenderFromAddress

network.email.from

If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$ and the length of the value is 256 characters or less, then the properties.SenderFromAddress log field is mapped to the network.email.from UDM field.
Else, the additional.fields.key UDM field is set to SenderFromAddress and the properties.SenderFromAddress log field value is mapped to the additional.fields.value.string_value UDM field.

properties.SenderFromAddress

principal.user.email_addresses

If the properties.SenderFromAddress log field value matches the regular expression pattern ^.+@.+$ , then the properties.SenderFromAddress log field is mapped to the principal.user.email_addresses UDM field.

properties.SenderMailFromDomain

principal.user.attribute.labels[sender_mail_from_domain]

properties.SenderObjectId

principal.user.product_object_id

properties.SenderDisplayName

principal.user.user_display_name

properties.ThreatTypes

security_result.category

If the properties.ThreatTypes log field value is equal to Phish , then the security_result.category UDM field is set to MAIL_PHISHING .

properties.ThreatTypes

security_result.category_details

properties.ConfidenceLevel

security_result.confidence_details

properties.EmailAction

security_result.description

properties.AuthenticationDetails

security_result.detection_fields[authentication_details]

properties.BulkComplaintLevel

security_result.detection_fields[bulk_complaint_level]

properties.DetectionMethods

security_result.detection_fields[detection_methods]

properties.EmailActionPolicyGuid

security_result.rule_id

properties.EmailActionPolicy

security_result.rule_name

properties.ThreatNames

security_result.threat_name

properties.OrgLevelAction

security_result.rule_labels[org_level_action]

properties.OrgLevelPolicy

security_result.rule_labels[org_level_policy]

properties.UserLevelAction

security_result.rule_labels[user_level_action]

properties.UserLevelPolicy

security_result.rule_labels[user_level_policy]

properties.RecipientEmailAddress

network.email.to

If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$ and the length of the value is 256 characters or less, then the properties.RecipientEmailAddress log field is mapped to the network.email.to UDM field.

Else, the additional.fields.key UDM field is set to RecipientEmailAddress and the properties.RecipientEmailAddress log field value is mapped to the additional.fields.value.string_value UDM field.

properties.RecipientEmailAddress

target.user.email_addresses

If the properties.RecipientEmailAddress log field value matches the regular expression pattern ^.+@.+$ , then the properties.RecipientEmailAddress log field is mapped to the target.user.email_addresses UDM field.

properties.RecipientObjectId

target.user.product_object_id

properties.AdditionalFields

additional.fields[additional_fields]

properties.DeliveryAction

security_result.action

If the properties.DeliveryAction log field is equal to Delivered , then the security_result.action UDM field is set to ALLOW .

Else, if the properties.DeliveryAction log field contains one of the following values:

Junked
Replaced

then the security_result.action UDM field is set to ALLOW_WITH_MODIFICATION .

Else, if the properties.DeliveryAction log field is equal to Blocked , then the security_result.action UDM field is set to BLOCK .

Else, the security_result.action UDM field is set to UNKNOWN_ACTION .

properties.DeliveryAction

security_result.action_details

properties.DeliveryLocation

additional.fields[delivery_location]

The properties.DeliveryLocation log field is mapped to the additional.fields.delivery_location UDM field.

properties.EmailClusterId

additional.fields[email_cluster_id]

properties.EmailLanguage

additional.fields[email_language]

properties.InternetMessageId

additional.fields[internet_message_id]

properties.LatestDeliveryLocation

additional.fields[last_delivery_location]

properties.UrlCount

additional.fields[url_count]

properties.Connectors

additional.fields[connectors]

properties.AttachmentCount

additional.fields[attachment_count]

properties.LatestDeliveryAction

additional.fields[latest_delivery_action]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailPostDeliveryEvents

The following table lists the log fields for the EmailPostDeliveryEvents log type and their corresponding UDM fields:

Log field

UDM mapping

Logic

properties.Timestamp

metadata.event_timestamp

metadata.event_type

The metadata.event_type UDM field is set to EMAIL_TRANSACTION .

properties.ReportId

security_result.detection_fields[report_id]

properties.NetworkMessageId

network.email.mail_id

properties.ActionResult

security_result.summary

properties.ThreatTypes

security_result.category

If the properties.ThreatTypes log field value is equal to Phish , then the security_result.category UDM field is set to MAIL_PHISHING .

properties.ThreatTypes

security_result.category_details

properties.ActionTrigger

security_result.detection_fields[action_trigger]

properties.DeliveryLocation

security_result.detection_fields[delivery_location]

properties.DetectionMethods

security_result.detection_fields[detection_methods]

properties.Action

security_result.action

If the properties.Action log field is equal to Moved to quarantine , then the security_result.action UDM field is set to QUARANTINE .

Else, if the properties.Action log field is equal to Added message info only , then the security_result.action UDM field is set to ALLOW_WITH_MODIFICATION .

Else, if the properties.Action log field is equal to Quarantine release , then the security_result.action UDM field is set to ALLOW .

Else, if the properties.Action log field is equal to Moved to junk folder , then the security_result.action UDM field is set to ALLOW_WITH_MODIFICATION .

Else, if the properties.Action log field is equal to Reprocessed , then the security_result.action UDM field is set to CHALLENGE .

Else, the security_result.action UDM field is set to UNKNOWN_ACTION .

properties.Action

security_result.action_details

properties.ActionType

security_result.verdict_info.verdict_type

If the properties.ActionType log field value is equal to Manual Remediation , then the security_result.verdict_info.verdict_type UDM field is set to ANALYST_VERDICT .

Else, if the properties.ActionType log field contains one of the following values, then the security_result.verdict_info.verdict_type UDM field is set to PROVIDER_ML_VERDICT .

Phish ZAP
Malware ZAP
Spam ZAP

properties.RecipientEmailAddress

target.user.email_addresses

properties.InternetMessageId

additional.fields[internet_message_id]

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - EmailUrlInfo

The following table lists the log fields for the EmailUrlInfo log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.UrlDomain`	`target.hostname`
`properties.Url`	`target.url`
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `EMAIL_TRANSACTION` .
`properties.ReportId`	`metadata.product_log_id`
`properties.NetworkMessageId`	`network.email.mail_id`
`properties.UrlLocation`	`additional.fields[url_location]`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - IdentityInfo

The following table lists the log fields for the IdentityInfo log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.BlastRadius`	`entity.user.attribute.labels[blast_radius]`
`properties.CompanyName`	`entity.user.company_name`
`properties.CriticalityLevel`	`entity.user.attribute.labels[criticality_level]`
`properties.DeletedDateTime`	`entity.user.attribute.labels[deleted_date_time]`
`properties.EmployeeId`	`entity.user.employee_id`
`properties.GroupMembership`	`entity.user.group_identifiers`
`properties.IdentityEnvironment`	`entity.user.attribute.labels[identity_environment]`
`properties.OnPremObjectId`	`entity.user.attribute.labels[on_prem_object_id]`
`properties.OtherMailAddresses`	`entity.user.email_addresses`
`properties.PrivilegedEntraPimRoles`	`entity.user.attribute.roles.name`
`properties.RiskLevel`	`entity.user.attribute.labels[risk_level]`
`properties.RiskLevelDetails`	`entity.user.attribute.labels[risk_level_details]`
`properties.RiskStatus`	`entity.user.attribute.labels[risk_status]`
`properties.SourceProviders`	`entity.user.attribute.labels[source_providers]`
`properties.State`	`entity.user.personal_address.state`
`properties.TenantMembershipType`	`entity.user.attribute.labels[tenant_membership_type]`
`properties.UserAccountControl`	`entity.user.attribute.labels[user_account_control]`
`properties.SourceSystem`	`entity.resource.parent`
`properties.AccountDomain`	`entity.administrative_domain`
`properties.TenantId`	`entity.resource.product_object_id`
`properties.CreatedDateTime`	`entity.user.attribute.creation_time`
`properties.AccountUpn`	`entity.user.attribute.labels[account_upn]`
`properties.ChangeSource`	`entity.user.attribute.labels[change_source]`
`properties.CloudSid`	`entity.user.attribute.labels[cloud_sid]`
`properties.ReportId`	`entity.user.attribute.labels[report_id]`
`properties.SipProxyAddress`	`entity.user.attribute.labels[sip_proxy_address]`
`properties.SourceProvider`	`entity.user.attribute.labels[source_provider]`
`properties.Tags`	`entity.user.attribute.labels[tags]`
`properties.Type`	`entity.user.account_type`	If the `properties.Type` log field is equal to `User` , then the `entity.user.account_type` UDM field is set to `DOMAIN_ACCOUNT_TYPE` . Else, if the `properties.Type` log field is equal to `ServiceAccount` , then the `entity.user.account_type` UDM field is set to `SERVICE_ACCOUNT_TYPE` .
`properties.Type`	`entity.user.attribute.labels[type]`
`properties.DistinguishedName`	`entity.user.attributes.labels[distinguished_name]`
`properties.Department`	`entity.user.department`
`properties.EmailAddress`	`entity.user.email_addresses`	If the `properties.EmailAddress` log field value matches the regular expression pattern `^.+@.+$` , then the `properties.EmailAddress` log field is mapped to the `entity.user.email_addresses` UDM field.
`properties.GivenName`	`entity.user.first_name`
`properties.Surname`	`entity.user.last_name`
`properties.Manager`	`entity.user.managers.user_display_name`
`properties.City`	`entity.user.personal_address.city`
`properties.Country`	`entity.user.personal_address.country_or_region`
`properties.Address`	`entity.user.personal_address.name`
`properties.Phone`	`entity.user.phone_numbers`
`properties.AccountObjectId`	`entity.user.product_object_id`
`properties.AssignedRoles`	`entity.user.role_description`
`properties.JobTitle`	`entity.user.title`
`properties.IsAccountEnabled`	`entity.user.user_authentication_status`	If the `properties.IsAccountEnabled` log field value is equal to `1` or `true` , then the `entity.user.user_authentication_status` UDM field is set to `ACTIVE` . Else, the `entity.user.user_authentication_status` UDM field is set to `SUSPENDED` .
`properties.AccountDisplayName`	`entity.user.user_display_name`
`properties.AccountName`	`entity.user.userid`
`properties.OnPremSid`	`entity.user.attribute.labels[on_prem_sid]`
`properties.Timestamp`	`metadata.creation_time`
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `USER` .
`properties.AccountObjectId`	`metadata.product_entity_id`

Field mapping reference: MICROSOFT DEFENDER ENDPOINT - CloudAppEvents

The following table lists the log fields for the CloudAppEvents log type and their corresponding UDM fields:

Log field	UDM mapping	Logic
`properties.Timestamp`	`metadata.event_timestamp`
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT` .
`properties.ActionType`	`security_result.summary`
`properties.Application`	`additional.fields[application]`
`properties.ApplicationId`	`additional.fields[application_id]`
`properties.AppInstanceId`	`additional.fields[app_instance_id]`
`properties.AccountObjectId`	`principal.user.product_object_id`
`properties.AccountId`	`principal.user.userid`
`properties.AccountDisplayName`	`principal.user.user_display_name`
`properties.IsAdminOperation`	`principal.user.attribute.role.type`	If the `properties.IsAdminOperation` is equal to `true` , then the `principal.user.attribute.role.type` is set to `ADMINISTRATOR` .
`properties.DeviceType`	`principal.asset.type`	If the `properties.DeviceType` log field value is equal to `NetworkDevice` , then the `principal.asset.type` UDM field is set to `NETWORK_ATTACHED_STORAGE` . Else, if the `properties.DeviceType` log field value is equal to `Workstation` , then the `principal.asset.type` UDM field is set to `WORKSTATION` . Else, if the `properties.DeviceType` log field value is equal to `Server` , then the `principal.asset.type` UDM field is set to `SERVER` . Else, if the `properties.DeviceType` log field value is equal to `Mobile` , then the `principal.asset.type` UDM field is set to `MOBILE` . Else if the `properties.DeviceType` log field value is equal to `Printer` , then the `principal.asset.type` UDM field is set to `PRINTER` . Else, the `principal.asset.type` UDM field is set to `ROLE_UNSPECIFIED` and `properties.DeviceType` is mapped to `principal.asset.attribute.labels[device_type]` .
`properties.OSPlatform`	`principal.asset.platform_software.platform`	If the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)macos` , then the `principal.asset.platform_software.platform` UDM field is set to `MAC` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)windows` , then the `principal.asset.platform_software.platform` UDM field is set to `WINDOWS` . Else, if the `properties.OSPlatform` log field value matches the regular expression pattern `(?i)linux` , then the `principal.asset.platform_software.platform` UDM field is set to `LINUX` .
`properties.OSPlatform`	`principal.asset.platform_software.platform_version`
`properties.IPAddresses`	`principal.ip`
`properties.IsAnonymousProxy`	`principal.asset.attribute.labels[is_anonymous_proxy]`	The `properties.IsAnonymousProxy` log field is mapped to the `principal.asset.attribute.labels[is_anonymous_proxy]` UDM field.
`properties.CountryCode`	`principal.ip_geo_artifact.location.country_or_region`
`properties.City`	`principal.ip_geo_artifact.location.city`
`properties.Isp`	`principal.asset.attribute.labels[isp]`	The `properties.Isp` log field is mapped to the `principal.asset.attribute.labels[isp]` UDM field.
`properties.UserAgent`	`network.http.user_agent`
`properties.ActivityType`	`additional.fields[activity_type]`
`properties.ActivityObjects`	`additional.fields[activity_objects]`
`properties.ObjectName`	`target.resource.name`
`properties.ObjectType`	`target.resource.resource_subtype`
`properties.ObjectId`	`target.resource.product_object_id`
`properties.ReportId`	`metadata.product_log_id`
`properties.AccountType`	`principal.asset.attribute.labels[account_type]`	The `properties.AccountType` log field is mapped to the `principal.asset.attribute.labels[account_type]` UDM field.
`properties.IsExternalUser`	`principal.asset.attribute.labels[is_external_user]`	The `properties.IsExternalUser` log field is mapped to the `principal.asset.attribute.labels[is_external_user]` UDM field.
`properties.IsImpersonated`	`principal.asset.attribute.labels[is_impersonated]`	The `properties.IsImpersonatedr` log field is mapped to the `principal.asset.attribute.labels[is_impersonated]` UDM field.
`properties.IPTags`	`principal.asset.attribute.labels[ip_tags]`	The `properties.IPTags` log field is mapped to the `principal.asset.attribute.labels[ip_tags]` UDM field.
`properties.IPCategory`	`principal.asset.attribute.labels[ip_category]`	The `properties.IPCategory` log field is mapped to the `principal.asset.attribute.labels[ip_category]` UDM field.
`properties.UserAgentTags`	`principal.asset.attribute.labels[user_agent_tags]`	The `properties.UserAgentTags` log field is mapped to the `principal.asset.attribute.labels[user_agent_tags]` UDM field.
`properties.RawEventData`	`additional.fields[raw_event_data]`	Iterate for each key, value pair of log field `properties.RawEventData` , then `value` log field is mapped to the `additional.fields.key` UDM field. Iterate for each key1, value1 pair of log field `value` , then `value1` log field is mapped to the `additional.fields.key` UDM field. Iterate for each key2, value2 pair of log field `value1` , then `value2` log field is mapped to the `additional.fields.key` UDM field. Iterate for each key3, value3 pair of log field `value2` , then `value3` log field is mapped to the `additional.fields.key` UDM field.
`properties.AdditionalFields`	`additional.fields[additional_fields]`	Iterate for each key, value pair of log field `properties.AdditionalFields` , then `value` log field is mapped to the `additional.fields.key` UDM field.
`properties.LastSeenForUser`	`additional.fields[last_seen_for_user]`	Iterate for each key, value pair of log field `properties.LastSeenForUser` , then `value` log field is mapped to the `additional.fields.key` UDM field.
`properties.UncommonForUser`	`additional.fields[uncommon_for_user]`	Iterate for each key, value pair of log field `properties.UncommonForUser` , then `value` log field is mapped to the `additional.fields.key` UDM field.
`properties.AuditSource`	`additional.fields[audit_source]`
`properties.SessionData`	`additional.fields[session_data]`
`properties.OAuthAppId`	`additional.fields[oauth_app_id]`

UDM Mapping Delta

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT

The following tables list the delta between the Old UDM Mapping of Microsoft Defender Endpoint and the New UDM Mapping of Microsoft Defender Endpoint .

UDM Mapping Delta reference: DeviceEvents Event Identifier to Event Type

The following table lists the delta of DeviceEvents log action types and their corresponding UDM event types.

Event Identifier	Old UDM Event Type Mapping	New UDM Event Type Mapping
`AntivirusDefinitionsUpdateFailed`	`SCAN_HOST`	`SETTING_MODIFICATION`
`AntivirusEmergencyUpdatesInstalled`	`SCAN_HOST`	`SETTING_MODIFICATION`
`AntivirusTroubleshootModeEvent`	`SCAN_HOST`	`STATUS_UPDATE`
`AppControlCodeIntegrityDriverRevoked`	`SCAN_HOST`	`SCAN_FILE`
`AppControlCodeIntegrityImageAudited`	`SCAN_HOST`	`SCAN_FILE`
`AppControlCodeIntegrityImageRevoked`	`SCAN_HOST`	`SCAN_FILE`
`AppControlCodeIntegrityOriginAllowed`	`SCAN_HOST`	`SCAN_FILE`
`AppControlCodeIntegrityOriginAudited`	`SCAN_HOST`	`SCAN_FILE`
`AppControlCodeIntegrityOriginBlocked`	`SCAN_HOST`	`SCAN_FILE`
`AppControlCodeIntegrityPolicyAudited`	`SCAN_HOST`	`SCAN_FILE`
`AppControlCodeIntegrityPolicyBlocked`	`SCAN_HOST`	`SCAN_FILE`
`AppControlCodeIntegrityPolicyLoaded`	`SCAN_HOST`	`SCAN_FILE`
`AppControlCodeIntegritySigningInformation`	`SCAN_HOST`	`GENERIC_EVENT`
`AppControlPolicyApplied`	`SCAN_HOST`	`SETTING_MODIFICATION`
`AppGuardBrowseToUrl`	`SCAN_HOST`	`NETWORK_UNCATEGORIZED`
`AppGuardCreateContainer`	`SCAN_HOST`	`PROCESS_LAUNCH`
`AppGuardLaunchedWithUrl`	`SCAN_HOST`	`PROCESS_LAUNCH`
`AppGuardResumeContainer`	`SCAN_HOST`	`PROCESS_UNCATEGORIZED`
`AppGuardStopContainer`	`SCAN_HOST`	`PROCESS_TERMINATION`
`AppGuardSuspendContainer`	`SCAN_HOST`	`PROCESS_UNCATEGORIZED`
`AppLockerBlockExecutable`	`PROCESS_UNCATEGORIZED`	`SCAN_HOST`
`AppLockerBlockPackagedApp`	`STATUS_UPDATE`	`SCAN_HOST`
`AppLockerBlockPackagedAppInstallation`	`STATUS_UPDATE`	`SCAN_HOST`
`AppLockerBlockScript`	`STATUS_UPDATE`	`SCAN_HOST`
`AuditPolicyModification`	`SERVICE_MODIFICATION`	`SETTING_MODIFICATION`
`BitLockerAuditCompleted`	`SERVICE_UNSPECIFIED`	`STATUS_UPDATE`
`BluetoothPolicyTriggered`	`STATUS_UPDATE`	`SCAN_HOST`
`ContainedDeviceConnectionBlocked`	`NETWORK_UNCATEGORIZED`	`NETWORK_CONNECTION`
`ControlFlowGuardViolation`	`STATUS_UPDATE`	`SCAN_HOST`
`DeviceBootAttestationInfo`	`STATUS_UPDATE`	`GENERIC_EVENT`
`DirectoryServiceObjectCreated`	`SERVICE_MODIFICATION`	`RESOURCE_CREATION`
`DirectoryServiceObjectModified`	`SERVICE_MODIFICATION`	`RESOURCE_WRITTEN`
`DpapiAccessed`	`GENERIC_EVENT`	`PROCESS_UNCATEGORIZED`
`GetAsyncKeyStateApiCall`	`STATUS_UPDATE`	`PROCESS_UNCATEGORIZED`
`GetClipboardData`	`STATUS_UPDATE`	`PROCESS_UNCATEGORIZED`
`LdapSearch`	`STATUS_UPDATE`	`RESOURCE_READ`
`NetworkShareObjectAccessChecked`	`NETWORK_UNCATEGORIZED`	`RESOURCE_READ`
`NetworkShareObjectAdded`	`NETWORK_UNCATEGORIZED`	`RESOURCE_CREATION`
`NetworkShareObjectDeleted`	`NETWORK_UNCATEGORIZED`	`RESOURCE_DELETION`
`NetworkShareObjectModified`	`NETWORK_UNCATEGORIZED`	`RESOURCE_WRITTEN`
`PnpDeviceAllowed`	`DEVICE_CONFIG_UPDATE`	`SCAN_HOST`
`PnpDeviceBlocked`	`STATUS_UPDATE`	`SCAN_HOST`
`PnpDeviceConnected`	`STATUS_UPDATE`	`DEVICE_CONFIG_UPDATE`
`PrintJobBlocked`	`STATUS_UPDATE`	`SCAN_UNCATEGORIZED`
`QueueUserApcRemoteApiCall`	`PROCESS_LAUNCH`	`PROCESS_UNCATEGORIZED`
`RemoteWmiOperation`	`NETWORK_CONNECTION`	`PROCESS_UNCATEGORIZED`
`RemovableStoragePolicyTriggered`	`STATUS_UPDATE`	`PROCESS_UNCATEGORIZED`
`SmartScreenAppWarning`	`SCAN_UNCATEGORIZED`	`SCAN_HOST`
`SmartScreenExploitWarning`	`SCAN_UNCATEGORIZED`	`SCAN_HOST`
`SmartScreenUrlWarning`	`SCAN_UNCATEGORIZED`	`SCAN_HOST`
`SmartScreenUserOverride`	`SCAN_UNCATEGORIZED`	`SETTING_MODIFICATION`
`WmiBindEventFilterToConsumer`	`STATUS_UPDATE`	`PROCESS_UNCATEGORIZED`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - DeviceEvents

The following table lists the delta of log fields for the DeviceEvents log type and their corresponding UDM fields:

Raw Field

Old UDM Mapping

New UDM Mapping

properties.DeviceId

principal.asset_id
principal.asset.asset_id

If the properties.ActionType log field contains one of the following values, then DeviceID:%{properties.DeviceId} is mapped to the target.asset_id and target.asset.asset_id UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, DeviceID:%{properties.DeviceId} is mapped to the principal.asset_id and principal.asset.asset_id UDM fields.

properties.DeviceName

principal.hostname
principal.asset.hostname

If the properties.ActionType log field contains one of the following values, then the properties.DeviceName log field is mapped to the target.hostname and target.asset.hostname UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.DeviceName log field is mapped to the principal.hostname and principal.asset.hostname UDM fields.

properties.LocalIP

principal.ip
principal.asset.ip

If the properties.ActionType log field contains one of the following values, then the properties.LocalIP log field is mapped to the target.ip and target.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.LocalIP log field is mapped to the principal.ip and principal.asset.ip UDM fields.

properties.LocalPort

principal.port

If the properties.ActionType log field contains one of the following values, then the properties.LocalPort log field is mapped to the target.port UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.LocalPort log field is mapped to the principal.port UDM field.

properties.FolderPath

target.file.full_path
target.process.file.full_path

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

then if the properties.FolderPath log field value matches the regular expression pattern

the properties.FileName 
log field value

the properties.FileName 
log field value

, then properties.FolderPath log field is mapped to the target.file.full_path UDM field, else %{properties.FolderPath}\%{properties.FileName} is mapped to the target.file.full_path UDM field.

properties.MD5

target.file.md5
target.process.file.md5

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

properties.FileName

target.file.names
target.process.file.names

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

then properties.FileName log field is mapped to the target.process.file.names UDM field.
Else, properties.FileName log field is mapped to the target.file.names UDM field.

properties.SHA1

target.file.sha1
target.process.file.sha1

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

properties.SHA256

target.file.sha256
target.process.file.sha256

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

properties.FileSize

target.file.size
target.process.file.size

If the properties.ActionType log field contains one of the following values:

AmsiScriptDetection
AppGuardCreateContainer
AppGuardLaunchedWithUrl
AppGuardResumeContainer
AppGuardStopContainer
AppGuardSuspendContainer
ClrUnbackedModuleLoaded
CreateRemoteThreadApiCall
DpapiAccessed
DriverLoad
GetAsyncKeyStateApiCall
GetClipboardData
MemoryRemoteProtect
NamedPipeEvent
NtAllocateVirtualMemoryApiCall
NtAllocateVirtualMemoryRemoteApiCall
NtMapViewOfSectionRemoteApiCall
NtProtectVirtualMemoryApiCall
OpenProcessApiCall
PowerShellCommand
ProcessCreatedUsingWmiQuery
ProcessPrimaryTokenModified
PTraceDetected
QueueUserApcRemoteApiCall
ReadProcessMemoryApiCall
RemoteWmiOperation
RemovableStoragePolicyTriggered
ScriptContent
SetThreadContextRemoteApiCall
WmiBindEventFilterToConsumer
WriteProcessMemoryApiCall
WriteToLsassProcessMemory
AsrAdobeReaderChildProcessAudited
AsrAdobeReaderChildProcessBlocked
AsrAdobeReaderChildProcessWarnBypassed
AsrOfficeChildProcessAudited
AsrOfficeChildProcessBlocked
AsrOfficeChildProcessWarnBypassed
AsrOfficeCommAppChildProcessAudited
AsrOfficeCommAppChildProcessBlocked
AsrOfficeCommAppChildProcessWarnBypassed
AsrOfficeProcessInjectionAudited
AsrOfficeProcessInjectionBlocked
AsrOfficeProcessInjectionWarnBypassed
AsrPsexecWmiChildProcessAudited
AsrPsexecWmiChildProcessBlocked
AsrPsexecWmiChildProcessWarnBypassed
AsrUntrustedUsbProcessAudited
AsrUntrustedUsbProcessBlocked
AsrUntrustedUsbProcessWarnBypassed
ExploitGuardChildProcessAudited
ExploitGuardChildProcessBlocked

then properties.FileSize log field is mapped to the target.process.file.size UDM field.
Else, properties.FileSize log field is mapped to the target.file.size UDM field.

properties.RemoteDeviceName

principal.hostname
principal.asset.hostname

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteDeviceName log field is mapped to the target.hostname and target.asset.hostname UDM fields.

properties.RemoteIP

principal.ip
principal.asset.ip

If the properties.ActionType log field contains one of the following values, then the properties.RemoteIP log field is mapped to the principal.ip and principal.asset.ip UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteIP log field is mapped to the target.ip and target.asset.ip UDM fields.

properties.RemotePort

principal.port

If the properties.ActionType log field contains one of the following values, then the properties.RemotePort log field is mapped to the principal.port UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemotePort log field is mapped to the target.port UDM field.

properties.RemoteUrl

principal.url

If the properties.ActionType log field contains one of the following values, then the properties.RemoteUrl log field is mapped to the principal.url UDM field:

RemoteWmiOperation
ProcessCreatedUsingWmiQuery

Else, the properties.RemoteUrl log field is mapped to the target.url UDM field.

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - AlertEvidence

The following table lists the delta of log fields for the AlertEvidence log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.Application`	`additional.fields[application]`	`principal.application`
`properties.EvidenceDirection`	`principal.user.attribute.labels[evidence_direction]`	`additional.fields[evidence_direction]`
`properties.EvidenceRole`	`principal.user.attribute.labels[evidence_role]`	`additional.fields[evidence_role]`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - AlertInfo

The following table lists the delta of log fields for the AlertInfo log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.ServiceSource`	`security_result.detection_fields[service_source]`	`principal.application`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileCertificateInfo

The following table lists the delta of log fields for the DeviceFileCertificateInfo log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.Timestamp`	`metadata.event_timestamp`	`metadata.creation_timestamp`
	The `metadata.event_type` UDM field is set to `STATUS_UPDATE` .	The `metadata.entity_type` UDM field is set to `FILE` .
`properties.ReportId`	`metadata.product_log_id`	`metadata.product_entity_id`
`properties.DeviceId`	`principal.asset_id`	The `entity.asset_id` is set to `DeviceID:%{properties.DeviceId}` .
`properties.SHA1`	`principal.file.sha1`	If the `properties.SHA1` log field value matches the regular expression pattern `^[0-9a-f]+$` , then the `properties.SHA1` log field is mapped to the `entity.file.sha1` UDM field.
`properties.Issuer`	`principal.file.signature_info.sigcheck.signers.cert_issuer`	`entity.file.signature_info.sigcheck.signers.cert_issuer`
`properties.Signer`	`principal.file.signature_info.sigcheck.signers.name`	`entity.file.signature_info.sigcheck.signers.name`
`properties.IsSigned`	`principal.file.signature_info.sigcheck.verified`	If the `properties.IsSigned` log field value is equal to `true` , then the `entity.file.signature_info.sigcheck.verified` UDM field is set to `TRUE` . Else, the `entity.file.signature_info.sigcheck.verified` UDM field is set to `FALSE` .
`properties.DeviceName`	`principal.hostname`	`entity.asset.hostname`
`properties.CertificateSerialNumber`	`additional.fields[certificate_serial_number]`	`entity.file.signature_info.sigcheck.x509.serial_number`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - DeviceFileEvents

The following table lists the delta of log fields for the DeviceFileEvents log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.FileOriginIP`	`principal.ip`	`src.ip`
`properties.RequestSourceIP`	`principal.ip`	`src.ip`
`properties.RequestSourcePort`	`principal.port`	`src.port`
`properties.FileOriginUrl`	`principal.url`	`src.url`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - DeviceLogonEvents

The following table lists the delta of log fields for the DeviceLogonEvents log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.LogonId`	`network.session_id`	`extensions.auth.auth_details`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmInfoGathering

The following table lists the delta of log fields for the DeviceTvmInfoGathering log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.LastSeenTime`	`security.result.last_discovered_time`	`principal.asset.last_discover_time`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - DeviceRegistryEvents

The following table lists the delta of log fields for the DeviceRegistryEvents log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.PreviousRegistryValueData`	`principal.registry.registry_value_data`	`src.registry.registry_value_data`
`properties.PreviousRegistryKey`	`principal.registry.registry_key`	`src.registry.registry_key`
`properties.PreviousRegistryValueName`	`principal.registry.registry_value_name`	`src.registry.registry_value_name`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - DeviceTvmSoftwareVulnerabilitiesKB

The following table lists the delta of log fields for the DeviceTvmSoftwareVulnerabilitiesKB log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.IsExploitAvailable`	`extensions.vulns.vulnerablities.cvss_vector`	`additional.fields[is_exploit_available]`
`properties.LastModifiedTime`	`extensions.vulns.vulnerabilities.scan_end_time`	`additional.fields[last_modified_time]`
`properties.PublishedDate`	`extensions.vulns.vulnerabilities.first_found`	`additional.fields[published_date]`
`properties.AffectedSoftware`	`extensions.vulns.vulnerabilities.description`	`target.application`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - EmailEvents

The following table lists the delta of log fields for the EmailEvents log type and their corresponding UDM fields:

Raw Field

Old UDM Mapping

New UDM Mapping

properties.SenderMailFromAddress

principal.user.attribute.labels[sender_mail_from_address]

network.email.reply_to

properties.DeliveryAction

additional.fields[delivery_action]

If the properties.DeliveryAction log field is equal to Delivered , then the security_result.action UDM field is set to ALLOW .
Else, if the properties.DeliveryAction log field contains one of the following values:

Junked
Replaced

then the security_result.action UDM field is set to ALLOW_WITH_MODIFICATION .
Else, if the properties.DeliveryAction log field is equal to Blocked , then the security_result.action UDM field is set to BLOCK .
Else, the security_result.action UDM field is set to UNKNOWN_ACTION .

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - EmailPostDeliveryEvents

The following table lists the delta of log fields for the EmailPostDeliveryEvents log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
	The `metadata.event_type` UDM field is set to `EMAIL_UNCATEGORIZED` .	The `metadata.event_type` UDM field is set to `EMAIL_TRANSACTION` .

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - IdentityInfo

The following table lists the delta of log fields for the IdentityInfo log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.Type`	`entity.user.attribute.role.name`	If the `properties.Type` log field is equal to `User` , then the `entity.user.account_type` UDM field is set to `DOMAIN_ACCOUNT_TYPE` . Else, if the `properties.Type` log field is equal to `ServiceAccount` , then the `entity.user.account_type` UDM field is set to `SERVICE_ACCOUNT_TYPE` .
`properties.Type`	`entity.user.attribute.role.name`	`entity.user.attribute.labels[type]`

UDM Mapping Delta reference: MICROSOFT DEFENDER ENDPOINT - IdentityLogonEvents

The following table lists the delta of log fields for the IdentityLogonEvents log type and their corresponding UDM fields:

Raw Field	Old UDM Mapping	New UDM Mapping
`properties.Application`	`additional.fields[application]`	`principal.application`
`properties.AccountObjectId`	`additional.fields[account_object_id]`	`principal.user.product_object_id`
`properties.DestinationDeviceName`	`src.hostname`	`intermediary.hostname`
`properties.DestinationPort`	`src.port`	`intermediary.port`
`properties.DestinationIPAddress`	`src.ip`	`intermediary.ip`
`properties.AccountUpn`	`principal.user.user_display_name`	`principal.user.email_addresses`

What's next

Data ingestion to Google SecOps

Need more help? Get answers from Community members and Google SecOps professionals.