Collect Microsoft Defender for Identity logs
Supported in:
This document explains how to ingest the Microsoft Defender for Identity logs to Google Security Operations using Azure Storage. The parser processes JSON logs, or CEF formatted logs if the JSON parsing fails. It extracts fields, performs data transformations such as string conversions, renaming, and merging, and maps them to the Unified Data Model (UDM), handling various log formats and enriching the data with additional context like labels and authentication details.
Before you begin
Make sure you have the following prerequisites:
- Google SecOps instance
- active Azure tenant
- Privileged access to Azure and Administrative Security role
Configure Azure Storage account
- In the Azure console, search for Storage accounts.
- Click Create.
- Specify values for the following input parameters:
- Subscription: select the subscription.
- Resource Group: select the resource group.
- Region: select the region.
- Performance: select the type of performance (Standard recommended).
- Redundancy: select the type of redundancy (GRS or LRS recommended).
- Storage account name: enter a name for the new Storage account.
- Click Review + create.
- Review the overview of the account and click Create.
- From the storage account Overview page, select submenu Access keys in Security + networking.
- Click Show next to key1 or key2.
- Click Copy to clipboard to copy the key.
- Save the key in a secure location for future reference.
- From the storage account Overview page, select submenu Endpoints in Settings.
- Click Copy to clipboard to copy the Blob service endpoint URL. (for example,
https://<storageaccountname>.blob.core.windows.net). - Save the endpoint URL in a secure location for future reference.
- Go to Overview > JSON View.
- Copy and save the Storage Resource ID.
Configure Log Export for Microsoft Defender for Identity
- Sign in to the Defender Portal using a privileged account.
- Go to Settings.
- Select the Microsoft Defender XDR tab.
- Select Streaming API from the general section and click Add.
- Select Forward events to Azure Storage.
- Provide the following configuration details:
- Name: Enter a unique and meaningful name.
- Select Forward events to Azure Storage.
- Storage Account Resource ID: Enter the Azure Storage resource ID copied earlier.
- Event Types: Select both Alerts & Behaviors and Devices.
- Click Submit.
Set up feeds
There are two different entry points to set up feeds in the Google SecOps platform:
- SIEM Settings > Feeds > Add New Feed
- Content Hub > Content Packs > Get Started
How to set up the Microsoft Defender for Identity feed
- Click the Microsoft Defender pack.
Specify the following values:
- Source Type: Microsoft Azure Blob Storage V2.
Azure uri: the blob endpoint URL.
ENDPOINT_URL/BLOB_NAMEReplace the following:
ENDPOINT_URL: the blob endpoint URL. (https://<storageaccountname>.blob.core.windows.net)BLOB_NAME: the name of the blob. (such as,insights-logs-<logname>)
Source deletion options: select deletion option according to your preference.
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
category |
metadata.log_type |
The raw log category field is mapped to metadata.log_type. |
properties.AccountDisplayName |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AccountName |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AccountUpn |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.ActionType |
metadata.product_event_type |
The raw log properties.ActionType field is mapped to metadata.product_event_type. |
properties.AdditionalFields.ACTOR.ACCOUNT |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.ACTOR.DEVICE |
principal.asset.asset_id |
The parser extracts the value of properties.AdditionalFields.ACTOR.DEVICE and prepends ASSET ID:. |
properties.AdditionalFields.ACTOR.ENTITY_USER |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.Count |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.DestinationComputerDnsName |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.DestinationComputerObjectGuid |
target.asset.product_object_id |
The first element of the array properties.AdditionalFields.DestinationComputerObjectGuid is mapped to target.asset.product_object_id. Subsequent elements are mapped to additional.fields with keys like DestinationComputerObjectGuid_1, DestinationComputerObjectGuid_2, etc. |
properties.AdditionalFields.DestinationComputerOperatingSystem |
target.asset.platform_software.platform_version |
The first element of the array properties.AdditionalFields.DestinationComputerOperatingSystem is mapped to target.asset.platform_software.platform_version. Subsequent elements are mapped to additional.fields with keys like DestinationComputerOperatingSystem_1, DestinationComputerOperatingSystem_2, etc. |
properties.AdditionalFields.DestinationComputerOperatingSystemType |
target.asset.platform_software.platform |
If the value is windows, the UDM field is set to WINDOWS. |
properties.AdditionalFields.DestinationComputerOperatingSystemVersion |
target.platform_version |
The first element of the array properties.AdditionalFields.DestinationComputerOperatingSystemVersion is mapped to target.platform_version. Subsequent elements are mapped to additional.fields with keys like DestinationComputerOperatingSystemVersion1, DestinationComputerOperatingSystemVersion2, etc. |
properties.AdditionalFields.FROM.DEVICE |
principal.asset.asset_id |
The parser extracts the value of properties.AdditionalFields.FROM.DEVICE and prepends ASSET ID:. |
properties.AdditionalFields.KerberosDelegationType |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.SourceAccountId |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.SourceAccountSid |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.SourceComputerObjectGuid |
principal.asset.product_object_id |
The raw log properties.AdditionalFields.SourceComputerObjectGuid field is mapped to principal.asset.product_object_id. |
properties.AdditionalFields.SourceComputerOperatingSystem |
principal.asset.platform_software.platform_version |
The raw log properties.AdditionalFields.SourceComputerOperatingSystem field is mapped to principal.asset.platform_software.platform_version. |
properties.AdditionalFields.SourceComputerOperatingSystemType |
principal.asset.platform_software.platform_version |
If the value is windows, the UDM field is set to WINDOWS. |
properties.AdditionalFields.SourceComputerOperatingSystemVersion |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.Spns |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.TARGET_OBJECT.ENTITY_USER |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.AdditionalFields.TARGET_OBJECT.USER |
target.user.userid |
The first element of the array properties.AdditionalFields.TARGET_OBJECT.USER is mapped to target.user.userid. Subsequent elements are mapped to additional.fields with keys like TARGET_OBJECT.USER_1, TARGET_OBJECT.USER_2, etc. |
properties.AdditionalFields.TO.DEVICE |
target.asset.asset_id |
The first element of the array properties.AdditionalFields.TO.DEVICE is mapped to target.asset.asset_id with ASSET ID: prepended. Subsequent elements are mapped to additional.fields with keys like TODEVICE1, TODEVICE2, etc. |
properties.AuthenticationDetails |
extensions.auth.auth_details |
The parser removes curly braces, square brackets, and double quotes from the value and prepends AuthenticationDetails:. |
properties.DeliveryAction |
additional.fields |
Mapped with key DeliveryAction. |
properties.DeliveryLocation |
additional.fields |
Mapped with key DeliveryLocation. |
properties.DestinationDeviceName |
target.hostname, target.asset.hostname |
The raw log properties.DestinationDeviceName field is mapped to both target.hostname and target.asset.hostname. |
properties.DestinationIPAddress |
target.ip, target.asset.ip |
The raw log properties.DestinationIPAddress field is mapped to both target.ip and target.asset.ip. |
properties.DestinationPort |
target.port |
The raw log properties.DestinationPort field is mapped to target.port. |
properties.DeviceName |
principal.hostname, principal.asset.hostname |
The raw log properties.DeviceName field is mapped to both principal.hostname and principal.asset.hostname. |
properties.EmailClusterId |
additional.fields |
Mapped with key EmailClusterId. |
properties.EmailDirection |
network.direction |
If the value is Inbound, the UDM field is set to INBOUND. If the value is Outbound, the UDM field is set to OUTBOUND. Otherwise, it's set to UNKNOWN_DIRECTION. |
properties.EmailLanguage |
additional.fields |
Mapped with key EmailLanguage. |
properties.InitiatingProcessAccountDomain |
principal.administrative_domain |
The raw log properties.InitiatingProcessAccountDomain field is mapped to principal.administrative_domain. |
properties.InitiatingProcessAccountSid |
principal.user.windows_sid |
The raw log properties.InitiatingProcessAccountSid field is mapped to principal.user.windows_sid. |
properties.InitiatingProcessCommandLine |
principal.process.command_line |
The raw log properties.InitiatingProcessCommandLine field is mapped to principal.process.command_line. |
properties.InitiatingProcessFileName |
principal.process.file.full_path |
Used in combination with properties.InitiatingProcessFolderPath to construct the full path. If properties.InitiatingProcessFolderPath already contains the filename, it's used directly. |
properties.InitiatingProcessFolderPath |
principal.process.file.full_path |
Used in combination with properties.InitiatingProcessFileName to construct the full path. |
properties.InitiatingProcessId |
principal.process.pid |
The raw log properties.InitiatingProcessId field is mapped to principal.process.pid. |
properties.InitiatingProcessIntegrityLevel |
about.labels |
Mapped with key InitiatingProcessIntegrityLevel. |
properties.InitiatingProcessMD5 |
principal.process.file.md5 |
The raw log properties.InitiatingProcessMD5 field is mapped to principal.process.file.md5. |
properties.InitiatingProcessParentId |
principal.process.parent_process.pid |
The raw log properties.InitiatingProcessParentId field is mapped to principal.process.parent_process.pid. |
properties.InitiatingProcessParentFileName |
principal.process.parent_process.file.full_path |
The raw log properties.InitiatingProcessParentFileName field is mapped to principal.process.parent_process.file.full_path. |
properties.InitiatingProcessSHA1 |
principal.process.file.sha1 |
The raw log properties.InitiatingProcessSHA1 field is mapped to principal.process.file.sha1. |
properties.InitiatingProcessSHA256 |
principal.process.file.sha256 |
The raw log properties.InitiatingProcessSHA256 field is mapped to principal.process.file.sha256. |
properties.InitiatingProcessTokenElevation |
about.labels |
Mapped with key InitiatingProcessTokenElevation. |
properties.InternetMessageId |
additional.fields |
The parser removes angle brackets and maps the value with key InternetMessageId. |
properties.IPAddress |
principal.ip, principal.asset.ip |
The raw log properties.IPAddress field is mapped to both principal.ip and principal.asset.ip. |
properties.LogonType |
extensions.auth.mechanism |
Used to derive the value for extensions.auth.mechanism. |
properties.Port |
principal.port |
The raw log properties.Port field is mapped to principal.port. |
properties.PreviousRegistryKey |
src.registry.registry_key |
The raw log properties.PreviousRegistryKey field is mapped to src.registry.registry_key. |
properties.PreviousRegistryValueData |
src.registry.registry_value_data |
The raw log properties.PreviousRegistryValueData field is mapped to src.registry.registry_value_data. |
properties.PreviousRegistryValueName |
src.registry.registry_value_name |
The raw log properties.PreviousRegistryValueName field is mapped to src.registry.registry_value_name. |
properties.Query |
principal.user.attribute.labels |
Mapped with key LDAP Search Scope. |
properties.RecipientEmailAddress |
Not Mapped | This field is not mapped to the IDM object in the UDM. |
properties.RegistryKey |
target.registry.registry_key |
The raw log properties.RegistryKey field is mapped to target.registry.registry_key. |
properties.RegistryValueData |
target.registry.registry_value_data |
The raw log properties.RegistryValueData field is mapped to target.registry.registry_value_data. |
properties.RegistryValueName |
target.registry.registry_value_name |
The raw log properties.RegistryValueName field is mapped to target.registry.registry_value_name. |
properties.ReportId |
about.labels |
Mapped with key ReportId. |
properties.SenderIPv4 |
principal.ip, principal.asset.ip |
The raw log properties.SenderIPv4 field is mapped to both principal.ip and principal.asset.ip. |
properties.SenderMailFromAddress |
principal.user.attribute.labels |
Mapped with key SenderMailFromAddress. |
properties.SenderMailFromDomain |
principal.user.attribute.labels |
Mapped with key SenderMailFromDomain. |
properties.SenderObjectId |
principal.user.product_object_id |
The raw log properties.SenderObjectId field is mapped to principal.user.product_object_id. |
properties.Timestamp |
metadata.event_timestamp |
The raw log properties.Timestamp field is mapped to metadata.event_timestamp. |
tenantId |
observer.cloud.project.id |
The raw log tenantId field is mapped to observer.cloud.project.id. |
| N/A | extensions.auth.type |
The value MACHINE is assigned by the parser. |
| N/A | metadata.event_type |
Derived based on the category and properties.ActionType fields. Can be USER_LOGIN, USER_RESOURCE_ACCESS, USER_CHANGE_PASSWORD, REGISTRY_MODIFICATION, REGISTRY_DELETION, REGISTRY_CREATION, GENERIC_EVENT, or STATUS_UPDATE. |
| N/A | metadata.vendor_name |
The value Microsoft is assigned by the parser. |
| N/A | metadata.product_name |
The value Microsoft Defender Identity is assigned by the parser. |
cs1 |
metadata.url_back_to_product |
The raw log cs1 field is mapped to metadata.url_back_to_product. |
externalId |
metadata.product_log_id |
The raw log externalId field is mapped to metadata.product_log_id. |
msg |
metadata.description |
The raw log msg field is mapped to metadata.description. |
rule_name |
security_result.rule_name |
The raw log rule_name field is mapped to security_result.rule_name. |
severity |
security_result.severity |
The raw log severity field is mapped to security_result.severity. |
shost |
principal.hostname, principal.asset.hostname |
The raw log shost field is mapped to both principal.hostname and principal.asset.hostname. |
src |
principal.ip |
The raw log src field is mapped to principal.ip. |
suser |
principal.user.user_display_name |
The raw log suser field is mapped to principal.user.user_display_name. |
time |
metadata.event_timestamp |
The raw log time field is mapped to metadata.event_timestamp. |
userid |
principal.user.userid |
The raw log userid field is mapped to principal.user.userid. |
| N/A | security_result.action |
Derived based on the properties.ActionType field. Can be ALLOW or BLOCK. |
| N/A | security_result.summary |
Derived from either the category field or the properties.ActionType field. |
Need more help? Get answers from Community members and Google SecOps professionals.