Change log for MICROSOFT_DEFENDER_MAIL
| Date | Changes |
|---|---|
| 2025-09-19 | - `event.idm.read_only_udm.network.email.to`: Newly mapped `properties.To` raw log field to `event.idm.read_only_udm.network.email.to` UDM field.
- `event.idm.read_only_udm.network.received_bytes`: Newly mapped `properties.EmailSize` raw log field to `event.idm.read_only_udm.network.received_bytes` UDM field. - `event.idm.read_only_udm.additional.fields`: Newly mapped `properties.EmailClusterId`, `properties.BulkComplaintLevel`, `properties.ExchangeTransportRule`, `properties.IsFirstContact` raw log fields to `event.idm.read_only_udm.additional.fields` UDM field. - `Modified handling of `DetectionMethods` raw log field "Phish" array elements are now mapped to indexed keys within `event.idm.read_only_udm.additional.fields` instead of being aggregated into a list under a single "Phish" key. - `Modified handling of `DetectionMethods` raw log field "Spam" array elements are now mapped to indexed keys within `event.idm.read_only_udm.additional.fields` instead of being aggregated into a list under a single "Spam" key. - `event.idm.read_only_udm.target.hostname`: Newly mapped `properties.RecipientDomain` raw log field to `event.idm.read_only_udm.target.hostname` UDM field. - Set the `event.idm.read_only_udm.metadata.event_type` to `NETWORK_CONNECTION` if both has_principal and has_target are true. |
| 2025-03-24 | - Enhanced email validation for "_raw.properties.SenderMailFromAddress" before assigning to "principal.email", using both regular expression and length checks.
- Corrected merge target for "_raw.properties.EmailClusterId" from "event1.idm.read_only_udm.additional.fields" to "additional.fields" to ensure proper population of the field. - Implemented length check on "_raw.properties.SenderFromAddress" before assigning to "network.email.from" to ensure it's a valid email format. |
| 2025-01-23 | - Mapped "properties.Action" to "security_result.action_details" .
- Mapped "properties.ActionType" to "security_result.detection_fields". |
| 2024-10-10 | - Added support to parse new format of unparsed JSON logs.
|
| 2024-08-06 | - Newly created parser.
|