Collect Microsoft Defender for Cloud alerts

Supported in:

Google secops SIEM

This document explains how to ingest Microsoft Defender for Cloud (formerly Azure Security Center) alerts to Google Security Operations. You can configure ingestion using two supported methods:

Method 1: Azure Event Hub (recommended): Defender for Cloud Continuous Export streams alerts directly to an Azure Event Hub, from where Google SecOps ingests them in near real time.
Method 2: Azure Blob Storage V2: Defender for Cloud Continuous Export delivers alerts to a Log Analytics workspace, a Log Analytics Data Export rule writes them to an Azure Storage Account, and Google SecOps ingests them from the blob container on a polling schedule.

Microsoft Defender for Cloud is a cloud-native application protection platform that provides unified security management and threat protection across Azure, hybrid, and multi-cloud workloads.

Before you begin

Ensure that you have the following prerequisites:

Common to both methods:
- A Google SecOps instance.
- Privileged access to the Microsoft Azure portal with permissions to:
  - Configure Continuous Export on a Microsoft Defender for Cloud subscription.
- Security Admin or Owner role on the Azure subscription containing Microsoft Defender for Cloud.
- Microsoft Defender for Cloud enabled on the subscription with at least one Defender plan active.
Method 1 additional prerequisites (Azure Event Hub):
- Permissions to create Event Hub namespaces and Event Hubs and to manage Event Hub access policies.
- Write permissions on the target Event Hub policy (required by Continuous Export).
Method 2 additional prerequisites (Azure Blob Storage V2):
- Permissions to create or manage a Log Analytics workspace and to create Data Export rules on it.
- Permissions to create an Azure Storage Account with a blob container and to retrieve its access keys.

Method 1: Azure Event Hub (recommended)

Use this method when you want near-real-time ingestion of Defender for Cloud alerts and you can grant Google SecOps access to an Azure Event Hub.

Create Event Hub namespace

An Event Hub namespace is a management container for one or more Event Hubs.

In the Azure portal, search for Event Hubs.
Click + Create.

Provide the following configuration details:

Setting	Value
Subscription	Select the subscription containing Microsoft Defender for Cloud.
Resource group	Select existing or create new.
Namespace name	Enter a unique name (for example, `secops-defender-ns`).
Location	Select the same region as your Google SecOps instance (deploying in a different region reduces ingestion throughput).
Pricing tier	Standard (recommended for production).
Throughput units	Start with `1`, enable Auto-inflate (recommended).

Click Review + create.
Review the overview and click Create.
Wait for the deployment to complete (1-2 minutes).

Note: One throughput unit (TU) supports up to 1 MB per second of data ingestion (1 MB/s ingress, 2 MB/s egress). If incoming event volume exceeds the capacity of the configured TUs, the Event Hub may crash and logs may be lost before they reach Google SecOps. Enable Auto-inflate to automatically scale throughput up as alert volume grows.

Create Event Hub

After the namespace is deployed, go to the Event Hub namespace.
In the left navigation, select Event Hubs under Entities.
Click + Event Hub.

Provide the following configuration details:

Setting	Value
Name	Enter a unique name that matches the log type (for example, `defender-cloud-alerts`); avoid leaving the field blank during Defender Continuous Export configuration to prevent the system from creating extra event hubs.
Partition count	`40` (recommended for optimal Google SecOps scaling).
Message retention	`7` days minimum. Set the longest retention you can afford so logs are not deleted before ingestion resumes after a quota throttle.
Capture	Disabled (not needed for direct Event Hub ingestion).

Click Create.

Note: Partition count of 40 is recommended for Google SecOps feeds. This setting cannot be changed later in the standard and basic tiers.

Get Event Hub connection string

Google SecOps requires a connection string to authenticate to the Event Hub.

Option A: Namespace-level connection string (recommended)

Go to the Event Hub namespace.
In the left navigation, select Shared access policies under Settings.
Click the default policy RootManageSharedAccessKey.
Copy the Connection string-primary key.

Save this connection string securely.

Example:

Original: Endpoint=sb://secops-defender-ns.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=abc123==;EntityPath=defender-cloud-alerts

Remove EntityPath: Endpoint=sb://secops-defender-ns.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=abc123==

Option B: Event Hub-level connection string

Go to the Event Hub (not the namespace).
In the left navigation, select Shared access policies under Settings.
Click + Add to create a new policy.
Provide the following configuration details:
- Policy name: enter a descriptive name (for example, chronicle-listen).
- Permissions: select Listen only (read-only access).
Click Create.
Click the newly created policy.
Copy the Connection string-primary key.
Save this connection string securely.

Note: Event Hub-level connection strings already include the EntityPath parameter, so no modification is needed.

Configure Microsoft Defender for Cloud to stream alerts to Event Hub

Microsoft Defender for Cloud uses the Continuous Export feature to stream alerts and recommendations to an Event Hub as they are generated.

Sign in to the Azure portal.
Search for and open Microsoft Defender for Cloud.
In the Defender for Cloud resource menu, select Environment settings.
Select the subscription that you want to configure data export for.
In the resource menu under Settings, select Continuous export.
Select the Event hub tab.
Provide the following configuration details:
- Export enabled?: toggle to the on position.
- In the Exported data types section, select the data types to export. To collect security alerts, select the following checkboxes:
  - Security alerts
  - (Optional) Security recommendations, Secure score, Regulatory compliance, Attack paths, and other types as needed
- For each selected data type, configure filters (for example, export only Low, Medium, High, or all severity levels).
- In the Export frequency section, select the frequency:
  - Streaming: sends alerts as they are generated (recommended for Google SecOps).
  - Snapshots: sends a weekly snapshot of the current state (use only for periodic reporting).
- In the Export target section, configure the destination:
  - Export target: select Event hub.
  - Subscription: select the subscription containing the Event Hub namespace.
  - Event hub namespace: select secops-defender-ns (or the namespace you created earlier).
  - Event hub name: select defender-cloud-alerts (or the Event Hub you created earlier). Always select an existing Event Hub; leaving this field blank causes the system to create extra Event Hubs and may exhaust your feed quota.
  - Event hub policy name: select RootManageSharedAccessKey or a custom policy with Send permissions.
Click Save.

Note: Continuous Export starts streaming new alerts immediately. Existing alerts generated before enabling Continuous Export are not exported retroactively. For historical export, see Microsoft Defender for Cloud documentation.

(Optional) Create dedicated consumer group

By default, Event Hub provides a consumer group named $Default. For production environments, it's recommended to create a dedicated consumer group for Google SecOps.

Go to the Event Hub (not the namespace).
In the left navigation, select Consumer groups under Entities.
Click + Consumer group.
Provide the following configuration details:
- Name: enter a descriptive name (for example, chronicle).
Click Create.

Note: If you create a dedicated consumer group, you must specify it when creating the feed in Google SecOps. Otherwise, use the default $Default consumer group.
Caution: Don't create additional subscribers on the Google SecOps consumer group, and do not retrieve data programmatically through the Azure portal Data Explorer tab while it is in use. Either action may cause data loss because Event Hub consumer-group offsets advance as data is read.

Configure a feed in Google SecOps to ingest Microsoft Defender for Cloud alerts (Method 1)

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Microsoft Defender for Cloud Alerts).
Select Microsoft Azure Event Hub as the Source type.
Select Microsoft Defender For Cloud as the Log type.
Click Next.
Specify values for the following input parameters:
- Event Hub Name: enter the Event Hub name (for example, defender-cloud-alerts).
- Event Hub Consumer Group: enter the consumer group name.
  - Use $Default for the default consumer group.
  - If you created a dedicated consumer group, enter its name (for example, chronicle).
- Event Hub Connection String: enter the Event Hub connection string you captured earlier.
  
  If using namespace-level connection string:
  - Ensure you removed the EntityPath parameter.
  If using event hub-level connection string: - Use the connection string as-is (includes EntityPath).
- Azure Storage Connection String (optional): legacy field for Event Hub checkpointing storage; leave blank.
- Azure Storage Container Name (optional): legacy field for Event Hub checkpointing storage; leave blank.
- Azure SAS Token (optional): alternative authentication to the Event Hub when your security policy forbids sharing the Event Hub Connection String; leave blank when you provide the connection string above.
- Asset namespace: the asset namespace.
- Ingestion labels: the label to be applied to the events from this feed.
Note: Google SecOps manages its own checkpointing for Azure Event Hub feeds. Only the Event Hub Connection String (or, in its place, Azure SAS Token) is required; the Azure Storage Connection String and Azure Storage Container Name fields are legacy checkpointing fields that do not affect ingestion and should be left blank in standard deployments.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Note: After creating the feed, it may take 1-2 minutes before alerts start appearing in Google SecOps.

Method 2: Azure Blob Storage V2

Use this method when your organization already retains Defender for Cloud alerts in a Log Analytics workspace (for compliance or long-term storage) and you want Google SecOps to ingest the same alerts from an Azure Storage Account. Microsoft Defender for Cloud Continuous Export does not write to a Storage Account directly, so this method relies on the standard Log Analytics Data Export feature to land alerts in blob storage, from where Google SecOps reads them.

The end-to-end data path is:

Microsoft Defender for Cloud > Continuous Export to a Log Analytics workspace
Log Analytics workspace > Data Export rule writes the SecurityAlert table to an Azure Storage Account (blob container)
Google SecOps Azure Blob Storage V2 feed polls the blob container and ingests new alerts

Configure Microsoft Defender for Cloud to stream alerts to a Log Analytics workspace

Sign in to the Azure portal.
Search for and open Microsoft Defender for Cloud.
In the Defender for Cloud resource menu, select Environment settings.
Select the subscription that you want to configure data export for.
In the resource menu under Settings, select Continuous export.
Select the Log Analytics workspace tab.
Provide the following configuration details:
- Export enabled?: toggle to the on position.
- In the Exported data types section, select Security alerts (and any other data types you want to capture).
- For each selected data type, configure severity filters as required.
- In the Export frequency section, select Streaming for near-real-time export.
- In the Export target section, configure the destination:
  - Export target: select Log Analytics workspace.
  - Subscription: select the subscription that contains the workspace.
  - Log Analytics workspace: select an existing workspace or create a new one.
Click Save.

Note: Continuous Export only forwards alerts generated after the configuration is enabled. Existing alerts are not exported retroactively.

Create an Azure Storage Account and blob container

In the Azure portal, search for Storage accounts.
Click + Create.

Provide the following configuration details:

Setting	Value
Subscription	Select the subscription that contains the Log Analytics workspace.
Resource group	Use the same resource group as the workspace (recommended).
Storage account name	Enter a unique name (for example, `secopsdefenderblob`).
Region	Same region as the Log Analytics workspace (required for Data Export).
Performance	Standard.
Redundancy	LRS (Locally redundant storage) or GRS, per your durability policy.

Click Review + create, then click Create.
After deployment, go to the Storage Account.
In the left navigation, select Containers under Data storage.
Click + Container.
Provide the following configuration details:
- Name: enter a descriptive name (for example, defender-cloud-alerts).
- Public access level: Private (no anonymous access).
Click Create.

Note: Log Analytics Data Export creates one blob per SecurityAlert table row batch, organized by date prefix. Do not delete the container or its lifecycle settings while Google SecOps is reading from it.

Configure a Log Analytics Data Export rule

In the Azure portal, open the Log Analytics workspace you selected as the Continuous Export target.
In the left navigation, select Data Export under Settings.
Click + New export rule.
Provide the following configuration details:
- Rule name: enter a descriptive name (for example, defender-alerts-to-blob).
- Source: select the SecurityAlert table (the table that Defender for Cloud Continuous Export uses for alerts).
- Destination type: select Storage account.
- Subscription: select the subscription that contains the Storage Account.
- Storage account: select the Storage Account that you created above.
Click Create.

Note: Data Export must run in the same region as the workspace and the Storage Account; cross-region rules are rejected by Azure. For the list of SecurityAlert columns that are exported, see Log Analytics Data Export documentation.

Get Storage Account credentials

Google SecOps authenticates to the Storage Account with a shared access key.

In the Storage Account, select Access keys under Security + networking.
Click Show keys.
Locate key1 and copy the following values:
- Storage account name: the name of the Storage Account you created.
- Key: the 512-bit shared access key (base64 encoded).
Save these values securely.

Configure a feed in Google SecOps to ingest Microsoft Defender for Cloud alerts (Method 2)

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Microsoft Defender for Cloud Alerts - Blob).
Select Microsoft Azure Blob Storage V2 as the Source type.
Select Microsoft Defender For Cloud as the Log type.
Click Next.
Specify values for the following input parameters:
- Azure URI: enter the Blob Service endpoint URL with the container path. Include the trailing slash.
```
https://<STORAGE_ACCOUNT>.blob.core.windows.net/<CONTAINER>/
```
  Replace the following:
  - <STORAGE_ACCOUNT>: your Azure storage account name (for example, secopsdefenderblob).
  - <CONTAINER>: the blob container name where Log Analytics Data Export lands SecurityAlert rows (for example, defender-cloud-alerts).
- Source deletion option: select the deletion option according to your preference:
  - Never: never deletes any files after transfer (recommended for first-time setup and audit retention).
  - Delete transferred files: deletes files after successful transfer.
  - Delete transferred files and empty directories: deletes files and empty directories after successful transfer.
  Note: If you select a deletion option that removes files, make sure the shared access key grants delete permissions on the container.
- Maximum File Age (Days): include files modified within the last number of days (default is 180).
- Shared key: enter the shared access key value you captured from the Storage Account.
- Asset namespace: the asset namespace.
- Ingestion labels: the label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Note: Google SecOps polls the blob container on a managed schedule. Expect first events to appear within 15 to 30 minutes of the feed becoming active, depending on how quickly Log Analytics Data Export flushes new SecurityAlert rows to the Storage Account.

UDM mapping table

Log field	UDM mapping	Logic
`EndTimeLabel`	`about.labels`	Merged
`ProcessingEndTimeLabel`	`about.labels`	Merged
`StartTimeLabel`	`about.labels`	Merged
`TimeGeneratedLabel`	`about.labels`	Merged
`extendedLinkCategoryLabel`	`about.labels`	Merged
`extendedLinkLabel`	`about.labels`	Merged
`extendedLinkTypeLabel`	`about.labels`	Merged
`extendedlinkHrefLabel`	`about.labels`	Merged
`EndTimeLabel`	`about.resource.attribute.labels`	Merged
`ProcessingEndTimeLabel`	`about.resource.attribute.labels`	Merged
`StartTimeLabel`	`about.resource.attribute.labels`	Merged
`TimeGeneratedLabel`	`about.resource.attribute.labels`	Merged
`extendedLinkCategoryLabel`	`about.resource.attribute.labels`	Merged
`extendedLinkLabel`	`about.resource.attribute.labels`	Merged
`extendedLinkTypeLabel`	`about.resource.attribute.labels`	Merged
`extendedlinkHrefLabel`	`about.resource.attribute.labels`	Merged
`EndTimeLabel1`	`additional.fields`	Merged
`IoTHub_ResourceId_label`	`additional.fields`	Merged
`IoTHub_Type_label`	`additional.fields`	Merged
`Protocols_label`	`additional.fields`	Merged
`RemediationSteps_label`	`additional.fields`	Merged
`Scopes_label`	`additional.fields`	Merged
`StartTimeLabel1`	`additional.fields`	Merged
`TimeGeneratedLabel1`	`additional.fields`	Merged
`account_type`	`additional.fields`	Merged
`alert_generation_status_label`	`additional.fields`	Merged
`bacnet_service_label`	`additional.fields`	Merged
`billed_size_label`	`additional.fields`	Merged
`category_label`	`additional.fields`	Merged
`event_data_info`	`additional.fields`	Merged
`extended_properties_device_id_label`	`additional.fields`	Merged
`ip_category`	`additional.fields`	Merged
`is_billable_label`	`additional.fields`	Merged
`is_learnable_label`	`additional.fields`	Merged
`item_id_label`	`additional.fields`	Merged
`key`	`additional.fields`	Mapped: `IpAddress` → `nic_sub_field`
`key_value`	`additional.fields`	Merged
`mode_label`	`additional.fields`	Merged
`nic_field`	`additional.fields`	Merged
`nic_sub_field`	`additional.fields`	Merged
`owner_label`	`additional.fields`	Merged
`processed_by_sentinel_label`	`additional.fields`	Merged
`protocol_label`	`additional.fields`	Merged
`provider_name_label`	`additional.fields`	Merged
`remediation_steps_label`	`additional.fields`	Merged
`role_label`	`additional.fields`	Merged
`service_object_type`	`additional.fields`	Merged
`techniques_label`	`additional.fields`	Merged
`tenantIdLabel`	`additional.fields`	Merged
`time_received_label`	`additional.fields`	Merged
`type_ext_label`	`additional.fields`	Merged
`type_label`	`additional.fields`	Merged
`value_label`	`additional.fields`	Merged
`authentication_type`	`extensions.auth.auth_details`	Directly mapped
`SensorId`	`intermediary.hostname`	Directly mapped
`record.TimeGenerated`	`metadata.event_timestamp`	Parsed as `ISO8601`
`record.properties.Timestamp`	`metadata.event_timestamp`	Parsed as `ISO8601`
`record.time`	`metadata.event_timestamp`	Parsed as `ISO8601`
`has_principal`	`metadata.event_type`	Mapped: `true` → `NETWORK_CONNECTION`, `true` → `STATUS_UPDATE`
`record.operationName`	`metadata.product_event_type`	Directly mapped
`raw_event_id`	`metadata.product_log_id`	Directly mapped
`record.SystemAlertId`	`metadata.product_log_id`	Directly mapped
`record.alertId`	`metadata.product_log_id`	Directly mapped
`record.properties.extendedProperties.alert_Id`	`metadata.product_log_id`	Directly mapped
`product_name`	`metadata.product_name`	Directly mapped
`record.properties.productName`	`metadata.product_name`	Directly mapped
`vendor_name`	`metadata.vendor_name`	Directly mapped
`record.properties.RawEventData.AffectedItems.0.InternetMessageId`	`network.email.mail_id`	Directly mapped
`record.properties.RawEventData.Folders.0.FolderItems.0.InternetMessageId`	`network.email.mail_id`	Directly mapped
`record.properties.RawEventData.Item.InternetMessageId`	`network.email.mail_id`	Directly mapped
`email_subject`	`network.email.subject`	Merged
`operation`	`network.email.subject`	Mapped (lookup table)
`record.properties.UserAgent`	`network.http.user_agent`	Directly mapped
`user_agent`	`network.http.user_agent`	Directly mapped
`network_session_id`	`network.session_id`	Directly mapped
`record.ExtendedProperties.accountSessionId`	`network.session_id`	Directly mapped
`record.properties.RawEventData.ClientRequestId`	`network.session_id`	Directly mapped
`record.clientApplication`	`principal.application`	Directly mapped
`record.properties.extendedProperties.clientApplication`	`principal.application`	Directly mapped
`SourceDevice`	`principal.asset.hostname`	Directly mapped
`client_hostname`	`principal.asset.hostname`	Directly mapped
`compromised_hostname`	`principal.asset.hostname`	Directly mapped
`SourceDeviceAddress`	`principal.asset.ip`	Mapped: IPv4 regex
`clientIpAddress`	`principal.asset.ip`	Merged
`SourceComputerId`	`principal.asset.product_object_id`	Directly mapped
`SourceDevice`	`principal.hostname`	Directly mapped
`client_hostname`	`principal.hostname`	Directly mapped
`compromised_hostname`	`principal.hostname`	Directly mapped
`SourceDeviceAddress`	`principal.ip`	Mapped: IPv4 regex
`clientIpAddress`	`principal.ip`	Merged
`alertLabel`	`principal.labels`	Merged
`cityLabel`	`principal.location.city`	Directly mapped
`record.properties.City`	`principal.location.city`	Directly mapped
`countryLabel`	`principal.location.country_or_region`	Directly mapped
`record.clientIpLocation`	`principal.location.country_or_region`	Directly mapped
`record.clientLocation`	`principal.location.country_or_region`	Directly mapped
`record.properties.clientLocation`	`principal.location.country_or_region`	Directly mapped
`record.properties.extendedProperties.clientLocation`	`principal.location.country_or_region`	Directly mapped
`isp`	`principal.location.name`	Directly mapped
`entity.location.latitude`	`principal.location.region_coordinates.latitude`	Directly mapped
`entity.location.longitude`	`principal.location.region_coordinates.longitude`	Directly mapped
`os_platform`	`principal.platform`	Mapped: `iOS` → `MAC`
`record.ExtendedProperties.suspiciousCommandLine`	`principal.process.command_line`	Directly mapped
`record.ExtendedProperties.suspiciousProcess`	`principal.process.file.full_path`	Directly mapped
`record.properties.RawEventData.ClientProcessName`	`principal.process.file.full_path`	Directly mapped
`record.ExtendedProperties.suspiciousProcessId`	`principal.process.pid`	Directly mapped
`account_id`	`principal.resource.attribute.labels`	Merged
`account_object_id`	`principal.resource.attribute.labels`	Merged
`alertLabel`	`principal.resource.attribute.labels`	Merged
`alertLabel1`	`principal.resource.attribute.labels`	Merged
`app_instance_id`	`principal.resource.attribute.labels`	Merged
`compromisedEntityLabel`	`principal.resource.attribute.labels`	Merged
`compromisedEntityLabel1`	`principal.resource.attribute.labels`	Merged
`correlationKeyLabel`	`principal.resource.attribute.labels`	Merged
`effectiveSubscriptionIdLabel`	`principal.resource.attribute.labels`	Merged
`object_id`	`principal.resource.attribute.labels`	Merged
`object_name`	`principal.resource.attribute.labels`	Merged
`object_type`	`principal.resource.attribute.labels`	Merged
`potential_causes`	`principal.resource.attribute.labels`	Merged
`productComponentNameLabel`	`principal.resource.attribute.labels`	Merged
`sql_instance_name_label`	`principal.resource.attribute.labels`	Merged
`sql_server_name_label`	`principal.resource.attribute.labels`	Merged
`supporting_evidence_label`	`principal.resource.attribute.labels`	Merged
`system_alert_id_label`	`principal.resource.attribute.labels`	Merged
`zone_interface_label`	`principal.resource.attribute.labels`	Merged
`record.properties.extendedProperties.resourceType`	`principal.resource.name`	Directly mapped
`resourceType`	`principal.resource.name`	Directly mapped
`record.ResourceId`	`principal.resource.product_object_id`	Directly mapped
`mailbox_owner_upn`	`principal.user.email_addresses`	Merged
`principal_user_display_name`	`principal.user.user_display_name`	Directly mapped
`record.ExtendedProperties.userName`	`principal.user.user_display_name`	Directly mapped
`client_user`	`principal.user.userid`	Directly mapped
`principal_userid`	`principal.user.userid`	Directly mapped
`record.properties.RawEventData.LogonUserSid`	`principal.user.windows_sid`	Directly mapped
`action`	`security_result.action`	Merged
`operation`	`security_result.action`	Mapped (lookup table)
`tacticsLabel`	`security_result.attack_details.tactics`	Merged
`category_details_label`	`security_result.category_details`	Merged
`threat_category`	`security_result.category_details`	Merged
`record.Description`	`security_result.description`	Directly mapped
`record.properties.description`	`security_result.description`	Directly mapped
`KindLabel`	`security_result.detection_fields`	Merged
`action_type`	`security_result.detection_fields`	Merged
`application_id`	`security_result.detection_fields`	Merged
`device_type`	`security_result.detection_fields`	Merged
`field`	`security_result.detection_fields`	Merged
`incidentdetectionfields`	`security_result.detection_fields`	Merged
`incidentdetectionfields1`	`security_result.detection_fields`	Merged
`intent_label`	`security_result.detection_fields`	Merged
`is_admin_operation_label`	`security_result.detection_fields`	Merged
`is_impersonated_label`	`security_result.detection_fields`	Merged
`is_new_label`	`security_result.detection_fields`	Merged
`operation`	`security_result.detection_fields`	Mapped: `MailItemsAccessed` → `field`
`product_component_name_ext_label`	`security_result.detection_fields`	Merged
`sourcesystemdetectionfields`	`security_result.detection_fields`	Merged
`statusdetectionfields`	`security_result.detection_fields`	Merged
`statusdetectionfields1`	`security_result.detection_fields`	Merged
`trojan_script_malgent_msr_label`	`security_result.detection_fields`	Merged
`vendor_original_id_label`	`security_result.detection_fields`	Merged
`violation_count_label`	`security_result.detection_fields`	Merged
`report_id`	`security_result.rule_id`	Directly mapped
`alertDisplayName`	`security_result.rule_name`	Directly mapped
`record.AlertName`	`security_result.rule_name`	Directly mapped
`alert_severity`	`security_result.severity`	Directly mapped
`severity`	`security_result.severity`	Directly mapped
`alert_severity`	`security_result.severity_details`	Directly mapped
`record.properties.severity`	`security_result.severity_details`	Directly mapped
`record.DisplayName`	`security_result.summary`	Directly mapped
`summary`	`security_result.summary`	Directly mapped
`record.AlertType`	`security_result.threat_name`	Directly mapped
`record.properties.alertType`	`security_result.threat_name`	Directly mapped
`AlertManagementUri`	`security_result.url_back_to_product`	Directly mapped
`record.properties.RawEventData.Folder.Path`	`src.resource.name`	Directly mapped
`record.properties.RawEventData.Folder.Id`	`src.resource.product_object_id`	Directly mapped
`application`	`target.application`	Directly mapped
`DestinationDevice`	`target.asset.hostname`	Directly mapped
`record.ExtendedProperties.compromisedHost`	`target.asset.hostname`	Directly mapped
`DestinationDeviceAddress`	`target.asset.ip`	Mapped: IPv4 regex
`CompromisedEntityId`	`target.asset.product_object_id`	Directly mapped
`file_name`	`target.file.names`	Merged
`operation`	`target.file.names`	Mapped (lookup table)
`operation`	`target.file.size`	Mapped (lookup table)
`record.properties.RawEventData.Item.SizeInBytes`	`target.file.size`	Directly mapped
`DestinationDevice`	`target.hostname`	Directly mapped
`originating_server`	`target.hostname`	Directly mapped
`record.ExtendedProperties.compromisedHost`	`target.hostname`	Directly mapped
`DestinationDeviceAddress`	`target.ip`	Mapped: IPv4 regex
`target_process_command_line`	`target.process.command_line`	Directly mapped
`target_process_file`	`target.process.file.full_path`	Directly mapped
`target_process_id`	`target.process.pid`	Directly mapped
`workspaceLabel`	`target.resource.attribute.labels`	Merged
`workspaceResourceGroupLabel`	`target.resource.attribute.labels`	Merged
`AzureResourceId`	`target.resource.id`	Directly mapped
`record.properties.RawEventData.DestFolder.Path`	`target.resource.name`	Directly mapped
`record.properties.RawEventData.Item.ParentFolder.Path`	`target.resource.name`	Directly mapped
`record._Internal_WorkspaceResourceId`	`target.resource.product_object_id`	Directly mapped
`record.properties.RawEventData.DestFolder.Id`	`target.resource.product_object_id`	Directly mapped
`record.properties.RawEventData.Item.Id`	`target.resource.product_object_id`	Directly mapped
`operation`	`target.user.email_addresses`	Mapped (lookup table)
`target_user`	`target.user.email_addresses`	Mapped: email regex
N/A	`metadata.event_type`	Constant: `NETWORK_CONNECTION`
N/A	`metadata.product_name`	Constant: `MICROSOFT_DEFENDER_CLOUD_ALERTS`
N/A	`metadata.vendor_name`	Constant: `MICROSOFT_DEFENDER_CLOUD_ALERTS`
N/A	`principal.platform`	Constant: `MAC`

Need more help? Get answers from Community members and Google SecOps professionals.