Microsoft Sentinel Content Pack Data Mappings
- 13 Oct 2023
- 1 Minute to read
-
Print
-
DarkLight
Microsoft Sentinel Content Pack Data Mappings
- Updated on 13 Oct 2023
- 1 Minute to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
The data mappings in Table 1 through Table 11 illustrate how data are mapped from Microsoft Sentinel™ to the ThreatConnect® data model when using the Microsoft Sentinel Content Pack.
Incident
ThreatConnect object type: Incident Group
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| etag | String | N/A |
| id | String | N/A |
| name | String | Incident Group: Name/Summary |
| properties.additionalData | IncidentAdditionalData | N/A |
| properties.classification | IncidentClassification | N/A |
| properties.classificationComment | String | N/A |
| properties.classificationReason | IncidentClassificationReason | N/A |
| properties.createdTimeUtc | String | Incident Group: Event Date |
| properties.description | String | Attribute: "Description" |
| properties.firstActivityTimeUtc | String | N/A |
| properties.incidentNumber | Integer | N/A |
| properties.incidentUrl | String | Attribute: "Additional Analysis and Context" |
| properties.labels | IncidentLabel[] | N/A |
| properties.lastActivityTimeUtc | String | N/A |
| properties.lastModifiedTimeUtc | String | Attribute: "External Last Modified Time" |
| properties.owner | IncidentOwnerInfo | N/A |
| properties.providerIncidentId | String | N/A |
| properties.providerName | String | N/A |
| properties.relatedAnalyticRuleIds | String Array | N/A |
| properties.severity | IncidentSeverity | N/A |
| properties.status | IncidentStatus | Incident Group: Status1 |
| properties.title | String | N/A |
| systemData | systemData | N/A |
| type | String | N/A |
1 In ThreatConnect, an Incident Group’s status cannot be set to Active. If an incident in Microsoft Sentinel has an active status, the status of the corresponding Incident Group in ThreatConnect will be set to New.
Alerts
ThreatConnect object type: Event Group
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| AlertLink | String | N/A |
| AlertName | String | Event Group: Name/Summary |
| AlertSeverity | String | Event Group: Event Status |
| AlertType | String | N/A |
| CompromisedEntity | String | N/A |
| ConfidenceLevel | String | N/A |
| ConfidenceScore | Real | N/A |
| Description | String | Attribute: "Description" |
| DisplayName | String | N/A |
| EndTime | Date Time | Attribute: "Last Seen" |
| Entities | String | Indicators Note These Indicators will be associated to the Event Group and may be viewed on the Associations tab of the Group’s Details screen. |
| ExtendedLinks | String | N/A |
| ExtendedProperties | String | N/A |
| IsIncident | Boolean | N/A |
| ProcessingEndTime | Date Time | N/A |
| ProductComponentName | String | N/A |
| ProductName | String | N/A |
| ProviderName | String | N/A |
| RemediationSteps | String | N/A |
| ResourceId | String | N/A |
| SourceComputerId | String | N/A |
| SourceSystem | String | N/A |
| StartTime | Date Time | Attribute: "First Seen" |
| Status | String | N/A |
| SystemAlertId | String | N/A |
| Tactics | String | N/A |
| Techniques | String | N/A |
| TenantId | String | N/A |
| TimeGenerated | Date Time | Event Group: Event Date |
| Type | String | N/A |
| VendorName | String | N/A |
| VendorOriginalId | String | N/A |
| WorkspaceResourceGroup | String | N/A |
| WorkspaceSubscriptionId | String | N/A |
Microsoft Sentinel Entity to ThreatConnect Mappings
Note
In Table 3 through Table 11, a question mark (?) appended to the value in the Data Type column indicates that the field can have a null value.
Unmapped Entity Types
The following Microsoft Sentinel entity types are not mapped to objects in the ThreatConnect data model:
- User account (Account)
- Process
- Cloud application (CloudApplication)
- Domain name (DNS)
- Azure® resource
- Security group
- IoT device
- Mail cluster
- Mail message
- Submission mail
Host
ThreatConnect object type: Host Indicator
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| Type | String | Indicator Type (Host) |
| DnsDomain | String | N/A |
| NTDomain | String | N/A |
| HostName | String | Host Indicator: Host Name |
| FullName | N/A | N/A |
| NetBiosName | String | N/A |
| IoTDevice | Entity | N/A |
| AzureID | String | N/A |
| OMSAgentID | String | N/A |
| OSFamily | Enum? | N/A |
| OSVersion | String | N/A |
| IsDomainJoined | Boolean | N/A |
Address
ThreatConnect object type: Address Indicator
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| Microsoft Sentinel Field | Data Type | ThreatConnect Mapping |
| Type | String | Indicator Type (Address) |
| Address | String | Address Indicator: IP Address |
| Location | GeoLocation | N/A |
Malware
ThreatConnect object type: Malware Group
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| Type | String | Group Type (Malware) |
| Name | String | Malware Group: Name/Summary |
| Category | String | Attribute: "Malware Family Variety" |
| Files | List<Entity> | N/A |
| Processes | List<Entity> | N/A |
File
ThreatConnect object type: File Indicator
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| Type | String | Indicator Type (File) |
| Directory | String | N/A |
| Name | String | N/A |
| Host | Entity | N/A |
| FileHashes | List<Entity> | File Indicator: Hash Values (MD5, SHA1, and SHA256) |
File Hash
ThreatConnect object type: File Indicator
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| Type | String | Indicator Type (File) |
| Algorithm | Enum | File Indicator: Hash Type (MD5, SHA1, and SHA256) |
| Value | String | File Indicator: Hash Value |
Registry Key
ThreatConnect object type: Registry Key Indicator
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| Type | String | Indicator Type (Registry Key) |
| Hive | Enum? | Registry Key Indicator: Key Name |
| Key | String | Registry Key Indicator: Value Name |
Registry Value
ThreatConnect object type: Registry Key Indicator
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| Type | String | Indicator Type (Registry Key) |
| Key | Entity (RegistryKey) | Registry Key Indicator: Key Name |
| Name | String | Registry Key Indicator: Value Name |
| Value | String | N/A |
| ValueType | Enum? | Registry Key Indicator: Value Type |
URL
ThreatConnect object type: URL Indicator
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| Type | String | Indicator Type (URL) |
| Url | Uri | URL Indicator: URL |
Mailbox
ThreatConnect object type: Email Address Indicator
| Microsoft Sentinel Name | Data Type | ThreatConnect Mapping |
|---|---|---|
| Type | String | Indicator Type (Email Address) |
| MailboxPrimaryAddress | String | Email Address Indicator: Email Address |
| DisplayName | String | N/A |
| Upn | String | N/A |
| RiskLevel | Enum? | N/A |
| ExternalDirectoryObjectId | Guid? | N/A |
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
Azure® is a registered trademark, and Microsoft Sentinel™ is a trademark, of Microsoft Corporation.
20153-04 v.02.A
Was this article helpful?
