Microsoft Defender Advanced Threat Protection Parsing Rule

Parsing Rule

Microsoft Defender for Endpoint

Details

IDMicrosoft_DefenderAdvancedThreatProtection_ParsingRule
From Version6.10.0

Rules (XQL)

[INGEST:vendor="Microsoft 365", product="Defender", target_dataset="microsoft_365_defender_raw", no_hit = keep]
// Support only date time of format: yyyy-MM-ddThh:mm:%E3S or format: yyyy-MM-ddThh:mm:ss. For example: "2021-07-01T10:00:00.667Z" or "2021-07-01T10:00:00Z".
filter to_string(lastEventTime) ~= "\d{4,}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d*Z" or to_string(lastEventTime) ~= "\d{4,}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z"
| alter tmp_timestamp_1 = parse_timestamp("%Y-%m-%dT%H:%M:%E3S", arrayindex(regextract(to_string(lastEventTime), "(\d{4,}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3})"),0)),
        tmp_timestamp_2 = parse_timestamp("%Y-%m-%dT%H:%M:%SZ", to_string(lastEventTime))
| alter _time  = coalesce(tmp_timestamp_1, tmp_timestamp_2)
| fields -tmp_timestamp_1, tmp_timestamp_2;