Microsoft Sentinel Content Pack Data Mappings
  • 13 Oct 2023
  • 1 Minute to read
  • Dark
    Light

Microsoft Sentinel Content Pack Data Mappings

  • Dark
    Light

Article summary

The data mappings in Table 1 through Table 11 illustrate how data are mapped from Microsoft Sentinel™ to the ThreatConnect® data model when using the Microsoft Sentinel Content Pack.

Incident

ThreatConnect object type: Incident Group

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
etagStringN/A
idStringN/A
nameStringIncident Group: Name/Summary
properties.additionalDataIncidentAdditionalDataN/A
properties.classificationIncidentClassificationN/A
properties.classificationCommentStringN/A
properties.classificationReasonIncidentClassificationReasonN/A
properties.createdTimeUtcStringIncident Group: Event Date
properties.descriptionStringAttribute: "Description"
properties.firstActivityTimeUtcStringN/A
properties.incidentNumberIntegerN/A
properties.incidentUrlStringAttribute: "Additional Analysis and Context"
properties.labelsIncidentLabel[]N/A
properties.lastActivityTimeUtcStringN/A
properties.lastModifiedTimeUtcStringAttribute: "External Last Modified Time"
properties.ownerIncidentOwnerInfoN/A
properties.providerIncidentIdStringN/A
properties.providerNameStringN/A
properties.relatedAnalyticRuleIdsString ArrayN/A
properties.severityIncidentSeverityN/A
properties.statusIncidentStatusIncident Group: Status1
properties.titleStringN/A
systemDatasystemDataN/A
typeStringN/A

1 In ThreatConnect, an Incident Group’s status cannot be set to Active. If an incident in Microsoft Sentinel has an active status, the status of the corresponding Incident Group in ThreatConnect will be set to New.

Alerts

ThreatConnect object type: Event Group

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
AlertLinkStringN/A
AlertNameStringEvent Group: Name/Summary
AlertSeverityStringEvent Group: Event Status
AlertTypeStringN/A
CompromisedEntityStringN/A
ConfidenceLevelStringN/A
ConfidenceScoreRealN/A
DescriptionStringAttribute: "Description"
DisplayNameStringN/A
EndTimeDate TimeAttribute: "Last Seen"
EntitiesStringIndicators
Note
These Indicators will be associated to the Event Group and may be viewed on the Associations tab of the Group’s Details screen.
ExtendedLinksStringN/A
ExtendedPropertiesStringN/A
IsIncidentBooleanN/A
ProcessingEndTimeDate TimeN/A
ProductComponentNameStringN/A
ProductNameStringN/A
ProviderNameStringN/A
RemediationStepsStringN/A
ResourceIdStringN/A
SourceComputerIdStringN/A
SourceSystemStringN/A
StartTimeDate TimeAttribute: "First Seen"
StatusStringN/A
SystemAlertIdStringN/A
TacticsStringN/A
TechniquesStringN/A
TenantIdStringN/A
TimeGeneratedDate TimeEvent Group: Event Date
TypeStringN/A
VendorNameStringN/A
VendorOriginalIdStringN/A
WorkspaceResourceGroupStringN/A
WorkspaceSubscriptionIdStringN/A

Microsoft Sentinel Entity to ThreatConnect Mappings

Note
In Table 3 through Table 11, a question mark (?) appended to the value in the Data Type column indicates that the field can have a null value.

Unmapped Entity Types

The following Microsoft Sentinel entity types are not mapped to objects in the ThreatConnect data model:

  • User account (Account)
  • Process
  • Cloud application (CloudApplication)
  • Domain name (DNS)
  • Azure® resource
  • Security group
  • IoT device
  • Mail cluster
  • Mail message
  • Submission mail

Host

ThreatConnect object type: Host Indicator

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
TypeStringIndicator Type (Host)
DnsDomainStringN/A
NTDomainStringN/A
HostNameStringHost Indicator: Host Name
FullNameN/AN/A
NetBiosNameStringN/A
IoTDeviceEntityN/A
AzureIDStringN/A
OMSAgentIDStringN/A
OSFamilyEnum?N/A
OSVersionStringN/A
IsDomainJoinedBooleanN/A

Address

ThreatConnect object type: Address Indicator

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
Microsoft Sentinel FieldData TypeThreatConnect Mapping
TypeStringIndicator Type (Address)
AddressStringAddress Indicator: IP Address
LocationGeoLocationN/A

Malware

ThreatConnect object type: Malware Group

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
TypeStringGroup Type (Malware)
NameStringMalware Group: Name/Summary
CategoryStringAttribute: "Malware Family Variety"
FilesList<Entity>N/A
ProcessesList<Entity>N/A

File

ThreatConnect object type: File Indicator

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
TypeStringIndicator Type (File)
DirectoryStringN/A
NameStringN/A
HostEntityN/A
FileHashesList<Entity>File Indicator: Hash Values (MD5, SHA1, and SHA256)

File Hash

ThreatConnect object type: File Indicator

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
TypeStringIndicator Type (File)
AlgorithmEnumFile Indicator: Hash Type (MD5, SHA1, and SHA256)
ValueStringFile Indicator: Hash Value

Registry Key

ThreatConnect object type: Registry Key Indicator

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
TypeStringIndicator Type (Registry Key)
HiveEnum?Registry Key Indicator: Key Name
KeyStringRegistry Key Indicator: Value Name

Registry Value

ThreatConnect object type: Registry Key Indicator

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
TypeStringIndicator Type (Registry Key)
KeyEntity (RegistryKey)Registry Key Indicator: Key Name
NameStringRegistry Key Indicator: Value Name
ValueStringN/A
ValueTypeEnum?Registry Key Indicator: Value Type

URL

ThreatConnect object type: URL Indicator

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
TypeStringIndicator Type (URL)
UrlUriURL Indicator: URL

Mailbox

ThreatConnect object type: Email Address Indicator

 

Microsoft Sentinel NameData TypeThreatConnect Mapping
TypeStringIndicator Type (Email Address)
MailboxPrimaryAddressStringEmail Address Indicator: Email Address
DisplayNameStringN/A
UpnStringN/A
RiskLevelEnum?N/A
ExternalDirectoryObjectIdGuid?N/A

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
Azure® is a registered trademark, and Microsoft Sentinel™ is a trademark, of Microsoft Corporation.

20153-04 v.02.A


Was this article helpful?