What Changed
Both ASimAlertEventMicrosoftDefenderXDR and vimAlertEventMicrosoftDefenderXDR parsers were updated to version 0.2.0 with significant KQL logic improvements and field mapping corrections.
Parser Impact
Key changes include corrected DvcIdType mapping (changed from “MDEid” to “FQDN”), improved Username field mapping (AccountName vs AccountUpn), optimized regex operations using replace_regex instead of replace, and enhanced AdditionalFields structure with consolidated IP address collection using make_list().
The parsers now properly collect and expose IP addresses from multiple sources (RemoteIP, LocalIP, Host.IpInterfaces) in a unified IpAddresses array, improving IP-based correlation capabilities. No change to normalized field names or filter logic — safe for existing detections using these parsers.
Affected Files
Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json
Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventMicrosoftDefenderXDR.md
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventMicrosoftDefenderXDR.md
Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml
Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml