From dd2f3e50db5d9887887ceb0ebfdf635d06704b35 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Fri, 24 Sep 2021 19:53:21 -0500
Subject: [PATCH] Create ecs-ms365_defender.yml

---
 tools/config/ecs-ms365_defender.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 tools/config/ecs-ms365_defender.yml

diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml
new file mode 100644
index 000000000..c9447407b
--- /dev/null
+++ b/tools/config/ecs-ms365_defender.yml
@@ -0,0 +1,16 @@
+title: Microsoft 365 Defender Logs Elasticsearch ecs mapping
+order: 20
+backends:
+  - es-qs
+  - es-rule
+fieldmappings:
+  classification: microsoft.m365_defender.alerts.classification
+  determination: microsoft.m365_defender.alerts.determination
+  severity: microsoft.m365_defender.alerts.severity
+  status: microsoft.m365_defender.alerts.status
+  detectionSource: microsoft.m365_defender.alerts.detectionSource
+  threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName
+  registryHive: microsoft.m365_defender.alerts.entities.registryHive
+  registryKey: microsoft.m365_defender.alerts.entities.registryKey
+  registryValueType: microsoft.m365_defender.alerts.entities.registryValueType
+  ipAddress: microsoft.m365_defender.alerts.entities.ipAddress