Change log for MICROSOFT_GRAPH_ALERT
| Date | Changes |
|---|---|
| 2026-01-07 | - Handled the edge case for setting `metadata.event_type` to `SCAN_HOST` when title is `Suspicious kernel module detected [seen multiple times]`.
|
| 2025-12-18 | - `network.http.user_agent`: Newly mapped `evidence.userAgent` raw log field with `network.http.user_agent` UDM field if the raw log field `evidence.@odata.type` conains the value "cloudLogonSessionEvidence".
|
| 2025-12-16 | - Added mapping for `security_result.action` based on `evidence.detectionStatus` when `serviceSource` is `microsoftDefenderForEndpoint` and `evidence.@odata.type` having value as `fileEvidence` or `processEvidence`.
- Mapped `security_result.action` to `BLOCK` when `evidence.detectionStatus` is `prevented` or `blocked`. - Mapped `security_result.action` to `ALLOW` when `evidence.detectionStatus` is `detected`. |
| 2025-10-14 | - security_result.detection_fields[determination]: Newly mapped `determination` raw log field with `security_result.detection_fields[determination]` UDM field.
|
| 2025-09-17 | Improved error handling to cover various edge cases across multiple scenarios. |
| 2025-08-12 | - `Suspicious Microsoft Defender Antivirus exclusion` : Added support for the new event, `Suspicious Microsoft Defender Antivirus exclusion` in the detection source `microsoftDefenderForEndpoint`.
- Mapped the `evidence.hostName` to the `principal.hostname` if `evidence.deviceDnsName` is empty in the `deviceEvidence` event. |
| 2025-06-10 | - target.file.names: Newly mapped `file_name` raw log field with `target.file.names` UDM field
- Removed unexpected characters from the raw log field `fileState.path` to resolve parsing issues. |
| 2025-01-06 | Corrected typo |
| 2024-12-23 | - Extracted and mapped the IP address, API endpoint, method, and status code from the customProperties log field.
|
| 2024-11-25 | Newly created parser. |