Change log for MICROSOFT_DEFENDER_CLOUD_ALERTS
| Date | Changes |
|---|---|
| 2025-12-24 | Enhancement:
- event.idm.read_only_udm.security_result.detection_fields: Newly mapped `record.Intent` raw log field and fields from `Threat Information` to `event.idm.read_only_udm.security_result.detection_fields`. - event.idm.read_only_udm.target.resource.id: Newly mapped `record.AzureResourceId` raw log field to `event.idm.read_only_udm.target.resource.id`. - event.idm.read_only_udm.additional.fields: Newly mapped `record.RemediationSteps`, `record.Entities`, `record.ResourceIdentifiers` raw log fields to `event.idm.read_only_udm.additional.fields`. - event.idm.read_only_udm.security_result.category_details: Newly mapped `record.ExtendedProperties.threatCategory` raw log field to `event.idm.read_only_udm.security_result.category_details`. - Enhanced mapping for event.idm.read_only_udm.security_result.rule_name to use `record.AlertDisplayName` as a fallback if `record.properties.alertDisplayName` is not available. - Enhanced mapping for `event.idm.read_only_udm.principal.resource.attribute.labels` (for "AlertUri") to use `AlertUri` as a fallback if `record.properties.alertUri` is not available. - Enhanced mapping for `event.idm.read_only_udm.principal.resource.attribute.labels` (for "correlationKey") to use `CorrelationKey` as a fallback if `record.properties.correlationKey` is not available. - Enhanced mapping for `event.idm.read_only_udm.additional.fields` (for "StartTime") to use `StartTimeUtc` as a fallback if `record.properties.startTimeUtc` is not available. - Enhanced mapping for `event.idm.read_only_udm.additional.fields` (for "EndTime") to use `EndTimeUtc` as a fallback if `record.properties.endTimeUtc` is not available. - Enhanced mapping for `event.idm.read_only_udm.security_result.severity` to use `record.Severity` as a fallback if `record.properties.severity` is not available. - Enhanced mapping for `event.idm.read_only_udm.additional.fields` (for "TenantId") to use `record.ExtendedProperties.TenantId` as a fallback if `record.TenantId` is not available. - Enhanced mapping for `event.idm.read_only_udm.principal.resource.name` to use `record.ExtendedProperties.resourceType` as a fallback if the value from `record.properties.resourceIdentifiers` or `record.properties.extendedProperties.resourceType` is not available. - Enhanced mapping for `event.idm.read_only_udm.principal.resource.attribute.labels` (for "productComponentName") to use `record.ExtendedProperties.ProductComponentName` as a fallback if the value from `record.properties.extendedProperties.productComponentName` is not available. - Added gsub to replace "Threat Category" with "threatCategory" in the raw message before JSON parsing. |
| 2025-12-04 | Enhancement:
- event.idm.read_only_udm.principal.process.file.full_path: Newly mapped `record.properties.RawEventData.ClientProcessName` raw log field(s) with `event.idm.read_only_udm.principal.process.file.full_path` UDM field. - event.idm.read_only_udm.network.session_id: Newly mapped `record.properties.RawEventData.ClientRequestId` raw log field(s) with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.principal.user.windows_sid: Newly mapped `record.properties.RawEventData.LogonUserSid` raw log field(s) with `event.idm.read_only_udm.principal.user.windows_sid` UDM field. - event.idm.read_only_udm.principal.user.email_addresses: Newly mapped `record.properties.RawEventData.MailboxOwnerUPN` raw log field(s) with `event.idm.read_only_udm.principal.user.email_addresses` UDM field. - event.idm.read_only_udm.principal.location.name: Newly mapped `record.properties.ISP` raw log field(s) with `event.idm.read_only_udm.principal.location.name` UDM field. - event.idm.read_only_udm.target.hostname: Newly mapped `record.properties.RawEventData.OriginatingServer` raw log field(s) with `event.idm.read_only_udm.target.hostname` UDM field. - event.idm.read_only_udm.target.application: Newly mapped `record.properties.Application` raw log field(s) with `event.idm.read_only_udm.target.application` UDM field. - event.idm.read_only_udm.security_result.rule_id: Newly mapped `record.properties.ReportId` raw log field(s) with `event.idm.read_only_udm.security_result.rule_id` UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped `record.properties.IsImpersonated`, `record.properties.IsAdminOperation` raw log field(s) with `event.idm.read_only_udm.security_result.detection_fields` UDM field. - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped `zone_interface` (extracted from clientIpAddress), `record.properties.extendedProperties.potential causes`, `record.properties.extendedProperties.productComponentName`, `record.properties.extendedProperties.effectiveSubscriptionId`, `record.properties.extendedProperties.sql server name`, `record.properties.extendedProperties.sql instance name`, `record.properties.supportingEvidence`, `record.properties.systemAlertId` raw log field(s) with `event.idm.read_only_udm.principal.resource.attribute.labels` UDM field. - event.idm.read_only_udm.principal.user.userid: Newly mapped `record.properties.RawEventData.UserId` raw log field(s) with `event.idm.read_only_udm.principal.user.userid` UDM field. - event.idm.read_only_udm.metadata.product_log_id: Newly mapped `record.properties.RawEventData.Id` raw log field(s) with `event.idm.read_only_udm.metadata.product_log_id` UDM field. |