diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml
new file mode 100644
index 00000000..9bf97867
--- /dev/null
+++ b/tools/config/ecs-ms365_defender.yml
@@ -0,0 +1,18 @@
+title: Microsoft 365 Defender Elasticsearch ecs mapping
+order: 20
+backends:
+  - es-qs
+  - es-rule
+fieldmappings:
+  classification: microsoft.m365_defender.alerts.classification
+  determination: microsoft.m365_defender.alerts.determination
+  severity: microsoft.m365_defender.alerts.severity
+  status: microsoft.m365_defender.alerts.status
+  detectionSource: microsoft.m365_defender.alerts.detectionSource
+  threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName
+  entityType: microsoft.m365_defender.alerts.entities.entityType
+  registryHive: microsoft.m365_defender.alerts.entities.registryHive
+  registryKey: microsoft.m365_defender.alerts.entities.registryKey
+  registryValueType: microsoft.m365_defender.alerts.entities.registryValueType
+  ipAddress: microsoft.m365_defender.alerts.entities.ipAddress
+