Rules (XIF)
[MODEL: dataset=microsoft_365_defender_raw, model=Endpoint]
alter
XDM.Endpoint.original_event_id = id,
XDM.Endpoint.threat.original_alert_id = to_string(incidentId),
XDM.Endpoint.threat.severity = severity,
XDM.Endpoint.Observer.product = detectionSource,
XDM.Endpoint.threat.category = category,
XDM.Endpoint.threat.subcategory = threatFamilyName,
XDM.Endpoint.threat.name = if(threatName = null, title, threatName),
XDM.Endpoint.threat.description = description,
XDM.Endpoint.event_timestamp = parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", alertCreationTime),
XDM.Endpoint.Target.host.device_id = machineId,
XDM.Endpoint.Target.host.fqdn = computerDnsName,
XDM.Endpoint.threat.mitre_techniques = json_extract_array(mitreTechniques, "$."),
XDM.Endpoint.Target.file.sha256 = json_extract_scalar(evidence, "$.sha256"),
XDM.Endpoint.Target.file.filename = json_extract_scalar(evidence, "$.fileName"),
XDM.Endpoint.Target.file.path = json_extract_scalar(evidence, "$.filePath"),
XDM.Endpoint.Target.process.pid = to_integer(json_extract_scalar(evidence, "$.processId")),
XDM.Endpoint.Target.process.command_line = json_extract_scalar(evidence, "$.processCommandLine"),
XDM.Endpoint.Target.process.parent_id = json_extract_scalar(evidence, "$.parentProcessId"),
XDM.Endpoint.Target.host.ipv4_addresses = if(json_extract_scalar(evidence, "$.ipAddress") != null, arraycreate(json_extract_scalar(evidence, "$.ipAddress")), null),
XDM.Endpoint.Target.registry.key = json_extract_scalar(evidence, "$.registryKey"),
XDM.Endpoint.Target.registry.value_type = json_extract_scalar(evidence, "$.registryValueType"),
XDM.Endpoint.Target.registry.value = json_extract_scalar(evidence, "$.registryValue"),
XDM.Endpoint.Actor.user.username = json_extract_scalar(evidence, "$.accountName"),
XDM.Endpoint.Actor.user.domain = json_extract_scalar(evidence, "$.domainName"),
XDM.Endpoint.Actor.user.identifier = json_extract_scalar(evidence, "$.userSid");
Schema
microsoft_365_defender_raw
| Field |
Type |
Array? |
alertCreationTime |
string |
— |
category |
string |
— |
computerDnsName |
string |
— |
description |
string |
— |
detectionSource |
string |
— |
evidence |
string |
Yes |
id |
string |
— |
incidentId |
string |
— |
machineId |
string |
— |
mitreTechniques |
string |
Yes |
severity |
string |
— |
threatFamilyName |
string |
— |
threatName |
string |
— |
title |
string |
— |
Raw JSON
{
"microsoft_365_defender_raw": {
"id": {
"type": "string",
"is_array": false
},
"incidentId": {
"type": "string",
"is_array": false
},
"title": {
"type": "string",
"is_array": false
},
"severity": {
"type": "string",
"is_array": false
},
"detectionSource": {
"type": "string",
"is_array": false
},
"category": {
"type": "string",
"is_array": false
},
"threatFamilyName": {
"type": "string",
"is_array": false
},
"threatName": {
"type": "string",
"is_array": false
},
"description": {
"type": "string",
"is_array": false
},
"alertCreationTime": {
"type": "string",
"is_array": false
},
"machineId": {
"type": "string",
"is_array": false
},
"computerDnsName": {
"type": "string",
"is_array": false
},
"mitreTechniques": {
"type": "string",
"is_array": true
},
"evidence": {
"type": "string",
"is_array": true
}
}
}