Microsoft 365 Defender Event Collector

Modeling Rule

Microsoft Defender for Endpoint

Details

IDmicrosoft_365_defender_event_collector
From Version6.8.0
To Version6.9.9
TagsMicrosoft 365 Defender

Rules (XIF)

[MODEL: dataset=microsoft_365_defender_raw, model=Endpoint]
alter 
        XDM.Endpoint.original_event_id = id,
        XDM.Endpoint.threat.original_alert_id = to_string(incidentId),						
        XDM.Endpoint.threat.severity = severity,		
        XDM.Endpoint.Observer.product = detectionSource,
        XDM.Endpoint.threat.category = category,		
        XDM.Endpoint.threat.subcategory = threatFamilyName,
        XDM.Endpoint.threat.name = if(threatName = null, title, threatName),
        XDM.Endpoint.threat.description = description,			
        XDM.Endpoint.event_timestamp = parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", alertCreationTime),					
        XDM.Endpoint.Target.host.device_id = machineId,			
        XDM.Endpoint.Target.host.fqdn = computerDnsName,	
        XDM.Endpoint.threat.mitre_techniques = json_extract_array(mitreTechniques, "$."),
        XDM.Endpoint.Target.file.sha256	= json_extract_scalar(evidence, "$.sha256"),
        XDM.Endpoint.Target.file.filename = json_extract_scalar(evidence, "$.fileName"),		
        XDM.Endpoint.Target.file.path = json_extract_scalar(evidence, "$.filePath"),	
        XDM.Endpoint.Target.process.pid	= to_integer(json_extract_scalar(evidence, "$.processId")),		
        XDM.Endpoint.Target.process.command_line = json_extract_scalar(evidence, "$.processCommandLine"),		
        XDM.Endpoint.Target.process.parent_id = json_extract_scalar(evidence, "$.parentProcessId"),		
        XDM.Endpoint.Target.host.ipv4_addresses	= if(json_extract_scalar(evidence, "$.ipAddress") != null, arraycreate(json_extract_scalar(evidence, "$.ipAddress")), null),	
        XDM.Endpoint.Target.registry.key = json_extract_scalar(evidence, "$.registryKey"),		
        XDM.Endpoint.Target.registry.value_type	= json_extract_scalar(evidence, "$.registryValueType"),		
        XDM.Endpoint.Target.registry.value = json_extract_scalar(evidence, "$.registryValue"),	
        XDM.Endpoint.Actor.user.username = json_extract_scalar(evidence, "$.accountName"),		
        XDM.Endpoint.Actor.user.domain = json_extract_scalar(evidence, "$.domainName"),	
        XDM.Endpoint.Actor.user.identifier = json_extract_scalar(evidence, "$.userSid");

Schema

microsoft_365_defender_raw

Field Type Array?
alertCreationTime string
category string
computerDnsName string
description string
detectionSource string
evidence string Yes
id string
incidentId string
machineId string
mitreTechniques string Yes
severity string
threatFamilyName string
threatName string
title string
Raw JSON
{
  "microsoft_365_defender_raw": {
    "id": {
      "type": "string",
      "is_array": false
    },
    "incidentId": {
      "type": "string",
      "is_array": false
    },
    "title": {
      "type": "string",
      "is_array": false
    },
    "severity": {
      "type": "string",
      "is_array": false
    },
    "detectionSource": {
      "type": "string",
      "is_array": false
    },
    "category": {
      "type": "string",
      "is_array": false
    },
    "threatFamilyName": {
      "type": "string",
      "is_array": false
    },
    "threatName": {
      "type": "string",
      "is_array": false
    },
    "description": {
      "type": "string",
      "is_array": false
    },
    "alertCreationTime": {
      "type": "string",
      "is_array": false
    },
    "machineId": {
      "type": "string",
      "is_array": false
    },
    "computerDnsName": {
      "type": "string",
      "is_array": false
    },
    "mitreTechniques": {
      "type": "string",
      "is_array": true
    },
    "evidence": {
      "type": "string",
      "is_array": true
    }
  }
}