--- title: "Microsoft Sentinel Content Pack Data Mappings | ThreatConnect" slug: "microsoft-sentinel-content-pack-data-mappings" description: "This article provides data mappings for data created in ThreatConnect from incidents, alerts, and entities in Microsoft Sentinel. These data mappings apply to the Microsoft Sentinel Content Pack." updated: 2023-10-13T12:56:13Z published: 2023-10-13T12:56:13Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Microsoft Sentinel Content Pack Data Mappings The data mappings in Table 1 through Table 11 illustrate how data are mapped from Microsoft Sentinel™ to the [ThreatConnect® data model](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model) when using the Microsoft Sentinel Content Pack. ## Incident ThreatConnect object type: Incident Group | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | etag | String | N/A | | id | String | N/A | | name | String | Incident Group: Name/Summary | | properties.additionalData | [IncidentAdditionalData](https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?source=recommendations&tabs=HTTP#incidentadditionaldata) | N/A | | properties.classification | [IncidentClassification](https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?source=recommendations&tabs=HTTP#incidentclassification) | N/A | | properties.classificationComment | String | N/A | | properties.classificationReason | [IncidentClassificationReason](https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?source=recommendations&tabs=HTTP#incidentclassificationreason) | N/A | | properties.createdTimeUtc | String | Incident Group: Event Date | | properties.description | String | Attribute: "Description" | | properties.firstActivityTimeUtc | String | N/A | | properties.incidentNumber | Integer | N/A | | properties.incidentUrl | String | Attribute: "Additional Analysis and Context" | | properties.labels | [IncidentLabel](https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?source=recommendations&tabs=HTTP#incidentlabel)[] | N/A | | properties.lastActivityTimeUtc | String | N/A | | properties.lastModifiedTimeUtc | String | Attribute: "External Last Modified Time" | | properties.owner | [IncidentOwnerInfo](https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?source=recommendations&tabs=HTTP#incidentownerinfo) | N/A | | properties.providerIncidentId | String | N/A | | properties.providerName | String | N/A | | properties.relatedAnalyticRuleIds | String Array | N/A | | properties.severity | [IncidentSeverity](https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?source=recommendations&tabs=HTTP#incidentseverity) | N/A | | properties.status | [IncidentStatus](https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?source=recommendations&tabs=HTTP#incidentstatus) | Incident Group: Status1 | | properties.title | String | N/A | | systemData | [systemData](https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/get?source=recommendations&tabs=HTTP#systemdata) | N/A | | type | String | N/A | 1 In ThreatConnect, an Incident Group’s status cannot be set to **Active**. If an incident in Microsoft Sentinel has an active status, the status of the corresponding Incident Group in ThreatConnect will be set to **New**. ## Alerts ThreatConnect object type: Event Group | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | AlertLink | String | N/A | | AlertName | String | Event Group: Name/Summary | | AlertSeverity | String | Event Group: Event Status | | AlertType | String | N/A | | CompromisedEntity | String | N/A | | ConfidenceLevel | String | N/A | | ConfidenceScore | Real | N/A | | Description | String | Attribute: "Description" | | DisplayName | String | N/A | | EndTime | Date Time | Attribute: "Last Seen" | | Entities | String | Indicators NoteThese Indicators will be associated to the Event Group and may be viewed on the [**Associations**tab](https://knowledge.threatconnect.com/docs/the-associations-tab) of the Group’s [**Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen). | | ExtendedLinks | String | N/A | | ExtendedProperties | String | N/A | | IsIncident | Boolean | N/A | | ProcessingEndTime | Date Time | N/A | | ProductComponentName | String | N/A | | ProductName | String | N/A | | ProviderName | String | N/A | | RemediationSteps | String | N/A | | ResourceId | String | N/A | | SourceComputerId | String | N/A | | SourceSystem | String | N/A | | StartTime | Date Time | Attribute: "First Seen" | | Status | String | N/A | | SystemAlertId | String | N/A | | Tactics | String | N/A | | Techniques | String | N/A | | TenantId | String | N/A | | TimeGenerated | Date Time | Event Group: Event Date | | Type | String | N/A | | VendorName | String | N/A | | VendorOriginalId | String | N/A | | WorkspaceResourceGroup | String | N/A | | WorkspaceSubscriptionId | String | N/A | ## Microsoft Sentinel Entity to ThreatConnect Mappings NoteIn Table 3 through Table 11, a question mark (**?**) appended to the value in the **Data Type**column indicates that the field can have a null value. ### Unmapped Entity Types The following [Microsoft Sentinel entity types](https://learn.microsoft.com/en-us/azure/sentinel/entities-reference) *are not mapped* to objects in the ThreatConnect data model: - User account (Account) - Process - Cloud application (CloudApplication) - Domain name (DNS) - Azure® resource - Security group - IoT device - Mail cluster - Mail message - Submission mail ### Host ThreatConnect object type: Host Indicator | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | Type | String | Indicator Type (Host) | | DnsDomain | String | N/A | | NTDomain | String | N/A | | HostName | String | Host Indicator: Host Name | | FullName | N/A | N/A | | NetBiosName | String | N/A | | IoTDevice | Entity | N/A | | AzureID | String | N/A | | OMSAgentID | String | N/A | | OSFamily | Enum? | N/A | | OSVersion | String | N/A | | IsDomainJoined | Boolean | N/A | ### Address ThreatConnect object type: Address Indicator | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | Microsoft Sentinel Field | Data Type | ThreatConnect Mapping | | Type | String | Indicator Type (Address) | | Address | String | Address Indicator: IP Address | | Location | GeoLocation | N/A | ### Malware ThreatConnect object type: Malware Group | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | Type | String | Group Type (Malware) | | Name | String | Malware Group: Name/Summary | | Category | String | Attribute: "Malware Family Variety" | | Files | List | N/A | | Processes | List | N/A | ### File ThreatConnect object type: File Indicator | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | Type | String | Indicator Type (File) | | Directory | String | N/A | | Name | String | N/A | | Host | Entity | N/A | | FileHashes | List | File Indicator: Hash Values (MD5, SHA1, and SHA256) | ### File Hash ThreatConnect object type: File Indicator | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | Type | String | Indicator Type (File) | | Algorithm | Enum | File Indicator: Hash Type (MD5, SHA1, and SHA256) | | Value | String | File Indicator: Hash Value | ### Registry Key ThreatConnect object type: Registry Key Indicator | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | Type | String | Indicator Type (Registry Key) | | Hive | Enum? | Registry Key Indicator: Key Name | | Key | String | Registry Key Indicator: Value Name | ### Registry Value ThreatConnect object type: Registry Key Indicator | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | Type | String | Indicator Type (Registry Key) | | Key | Entity (RegistryKey) | Registry Key Indicator: Key Name | | Name | String | Registry Key Indicator: Value Name | | Value | String | N/A | | ValueType | Enum? | Registry Key Indicator: Value Type | ### URL ThreatConnect object type: URL Indicator | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | Type | String | Indicator Type (URL) | | Url | Uri | URL Indicator: URL | ### Mailbox ThreatConnect object type: Email Address Indicator | Microsoft Sentinel Name | Data Type | ThreatConnect Mapping | | --- | --- | --- | | Type | String | Indicator Type (Email Address) | | MailboxPrimaryAddress | String | Email Address Indicator: Email Address | | DisplayName | String | N/A | | Upn | String | N/A | | RiskLevel | Enum? | N/A | | ExternalDirectoryObjectId | Guid? | N/A | --- *ThreatConnect® is a registered trademark of ThreatConnect, Inc. Azure® is a registered trademark, and Microsoft Sentinel™ is a trademark, of Microsoft Corporation.* 20153-04 v.02.A