Stay organized with collections
Save and categorize content based on your preferences.
Change log for MICROSOFT_DEFENDER_MAIL
Date
Changes
2025-03-24
- Enhanced email validation for "_raw.properties.SenderMailFromAddress" before assigning to "principal.email", using both regular expression and length checks.
- Corrected merge target for "_raw.properties.EmailClusterId" from "event1.idm.read_only_udm.additional.fields" to "additional.fields" to ensure proper population of the field.
- Implemented length check on "_raw.properties.SenderFromAddress" before assigning to "network.email.from" to ensure it's a valid email format.
2025-01-23
- Mapped "properties.Action" to "security_result.action_details" .
- Mapped "properties.ActionType" to "security_result.detection_fields".
2024-10-10
- Added support to parse new format of unparsed JSON logs.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-04-29 UTC."],[[["The MICROSOFT_DEFENDER_MAIL parser was newly created on 2024-08-06."],["On 2024-10-10, the parser added support for a new format of unparsed JSON logs."],["On 2025-01-23, mapping updates were made, linking \"properties.Action\" to \"security_result.action_details\" and \"properties.ActionType\" to \"security_result.detection_fields\"."]]],[]]
