From dd2f3e50db5d9887887ceb0ebfdf635d06704b35 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Fri, 24 Sep 2021 19:53:21 -0500
Subject: [PATCH 1/4] Create ecs-ms365_defender.yml

---
 tools/config/ecs-ms365_defender.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 tools/config/ecs-ms365_defender.yml

diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml
new file mode 100644
index 00000000..c9447407
--- /dev/null
+++ b/tools/config/ecs-ms365_defender.yml
@@ -0,0 +1,16 @@
+title: Microsoft 365 Defender Logs Elasticsearch ecs mapping
+order: 20
+backends:
+  - es-qs
+  - es-rule
+fieldmappings:
+  classification: microsoft.m365_defender.alerts.classification
+  determination: microsoft.m365_defender.alerts.determination
+  severity: microsoft.m365_defender.alerts.severity
+  status: microsoft.m365_defender.alerts.status
+  detectionSource: microsoft.m365_defender.alerts.detectionSource
+  threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName
+  registryHive: microsoft.m365_defender.alerts.entities.registryHive
+  registryKey: microsoft.m365_defender.alerts.entities.registryKey
+  registryValueType: microsoft.m365_defender.alerts.entities.registryValueType
+  ipAddress: microsoft.m365_defender.alerts.entities.ipAddress

From 176b9662fca9f73773e3f9cf57068ee2b2632415 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Fri, 24 Sep 2021 20:01:00 -0500
Subject: [PATCH 2/4] Update ecs-ms365_defender.yml

---
 tools/config/ecs-ms365_defender.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml
index c9447407..2e6fee3a 100644
--- a/tools/config/ecs-ms365_defender.yml
+++ b/tools/config/ecs-ms365_defender.yml
@@ -10,6 +10,7 @@ fieldmappings:
   status: microsoft.m365_defender.alerts.status
   detectionSource: microsoft.m365_defender.alerts.detectionSource
   threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName
+  entityType: microsoft.m365_defender.alerts.entities.entityType
   registryHive: microsoft.m365_defender.alerts.entities.registryHive
   registryKey: microsoft.m365_defender.alerts.entities.registryKey
   registryValueType: microsoft.m365_defender.alerts.entities.registryValueType

From 696f343ac3d3a93e64a9643d56d502de97ce6a83 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Fri, 24 Sep 2021 20:02:04 -0500
Subject: [PATCH 3/4] Delete ecs-ms365_defender.yml

---
 tools/config/ecs-ms365_defender.yml | 17 -----------------
 1 file changed, 17 deletions(-)
 delete mode 100644 tools/config/ecs-ms365_defender.yml

diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml
deleted file mode 100644
index 2e6fee3a..00000000
--- a/tools/config/ecs-ms365_defender.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-title: Microsoft 365 Defender Logs Elasticsearch ecs mapping
-order: 20
-backends:
-  - es-qs
-  - es-rule
-fieldmappings:
-  classification: microsoft.m365_defender.alerts.classification
-  determination: microsoft.m365_defender.alerts.determination
-  severity: microsoft.m365_defender.alerts.severity
-  status: microsoft.m365_defender.alerts.status
-  detectionSource: microsoft.m365_defender.alerts.detectionSource
-  threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName
-  entityType: microsoft.m365_defender.alerts.entities.entityType
-  registryHive: microsoft.m365_defender.alerts.entities.registryHive
-  registryKey: microsoft.m365_defender.alerts.entities.registryKey
-  registryValueType: microsoft.m365_defender.alerts.entities.registryValueType
-  ipAddress: microsoft.m365_defender.alerts.entities.ipAddress

From 00f4773eeb79d1fc9611e0f6256263da4507f904 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Fri, 24 Sep 2021 20:02:39 -0500
Subject: [PATCH 4/4] Create ecs-ms365_defender.yml

---
 tools/config/ecs-ms365_defender.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 tools/config/ecs-ms365_defender.yml

diff --git a/tools/config/ecs-ms365_defender.yml b/tools/config/ecs-ms365_defender.yml
new file mode 100644
index 00000000..9bf97867
--- /dev/null
+++ b/tools/config/ecs-ms365_defender.yml
@@ -0,0 +1,18 @@
+title: Microsoft 365 Defender Elasticsearch ecs mapping
+order: 20
+backends:
+  - es-qs
+  - es-rule
+fieldmappings:
+  classification: microsoft.m365_defender.alerts.classification
+  determination: microsoft.m365_defender.alerts.determination
+  severity: microsoft.m365_defender.alerts.severity
+  status: microsoft.m365_defender.alerts.status
+  detectionSource: microsoft.m365_defender.alerts.detectionSource
+  threatFamilyName: microsoft.m365_defender.alerts.threatFamilyName
+  entityType: microsoft.m365_defender.alerts.entities.entityType
+  registryHive: microsoft.m365_defender.alerts.entities.registryHive
+  registryKey: microsoft.m365_defender.alerts.entities.registryKey
+  registryValueType: microsoft.m365_defender.alerts.entities.registryValueType
+  ipAddress: microsoft.m365_defender.alerts.entities.ipAddress
+