Mappings: Microsoft Defender Advanced Hunting - Audit
| Input | Value |
|---|---|
| Vendor | Microsoft |
| Product | Defender Advanced Hunting |
| Log Format | JSON |
| Event ID Regex Pattern | AdvancedHunting-(DeviceEvents|DeviceInfo|DeviceProcessEvents|DeviceFileEvents|CloudAppEvents|UrlClickEvents|DeviceNetworkInfo) |
| Output | Value |
|---|---|
| Vendor | Microsoft |
| Product | Defender Advanced Hunting |
| Record Type | Audit |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | properties.ActionType | |
| commandLine | properties.ProcessCommandLine | |
| device_hostname | properties.DeviceName | |
| device_mac | properties.MacAddress | |
| device_osName | properties.OSPlatform | |
| device_uniqueId | properties.DeviceId | |
| dstDevice_hostname | properties.RemoteDeviceName | |
| dstDevice_ip | properties.RemoteIP | |
| dstPort | properties.RemotePort | |
| file_basename | properties.FileName | |
| file_hash_md5 | properties.MD5 | |
| file_hash_sha1 | properties.SHA1 | |
| file_hash_sha256 | properties.SHA256 | |
| file_size | properties.FileSize | |
| http_userAgent | properties.UserAgent | |
| normalizedAction | properties.ActionType | This is a lookup field. More info to come in the catalog later... |
| normalizedResource | properties.ActionType | This is a lookup field. More info to come in the catalog later... |
| pid | properties.ProcessId | |
| sessionId | properties.RawEventData.SessionId | |
| srcDevice_ip | properties.LocalIP | |
| srcPort | properties.LocalPort | |
| success | properties.RawEventData.ResultStatus | This is a lookup field. More info to come in the catalog later... |
| user_userId | properties.RawEventData.UserId |