Changed schema naming of AlertInfo table - Githubissues

splunk / TA-microsoft-365-defender-advanced-hunting-add-on

13 stars 7 forks source link

Changed schema naming of AlertInfo table #7

Closed thilles closed 3 years ago

thilles commented 3 years ago

Seems like the schema for AlertInfo has changed somewhat. It doesn't include a MitreTechniques field anymore, only AttackTechniques. https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-alertinfo-table?view=o365-worldwide E.g. AttackTechniques = ["Scheduled Task/Job (T1053)","Scheduled Task (T1053.005)"].

https://github.com/splunk/TA-microsoft-365-defender-advanced-hunting-add-on/blob/7921384aeffe707ed1769f5ee3077f1030d261fb/default/props.conf#L24 https://github.com/splunk/TA-microsoft-365-defender-advanced-hunting-add-on/blob/7921384aeffe707ed1769f5ee3077f1030d261fb/default/props.conf#L127

inspired commented 3 years ago

Thanks. Fixed in 2b4d813c9656971f38b0885528f48387bceb4be8