What Changed

The ASIM Process Event parsers for Microsoft 365 Defender for Endpoint have been enhanced to extract additional file metadata fields that were previously available in source data but not mapped to standardized ASIM fields.

Parser Impact

Both ASimProcessEventMicrosoft365D and vimProcessEventMicrosoft365D parsers now include:

New TargetProcessFile mappings:*

  • TargetProcessFileCompany (from ProcessVersionInfoCompanyName)
  • TargetProcessFileDescription (from ProcessVersionInfoFileDescription)
  • TargetProcessFileProduct (from ProcessVersionInfoProductName)
  • TargetProcessFileVersion (from ProcessVersionInfoProductVersion)
  • TargetProcessFileInternalName (from ProcessVersionInfoInternalFileName)
  • TargetProcessFileOriginalName (from ProcessVersionInfoOriginalFileName)
  • TargetProcessFileSize (from FileSize, null when zero)

New ActingProcessFile mappings:*

  • ActingProcessFileCompany (from InitiatingProcessVersionInfoCompanyName)
  • ActingProcessFileDescription (from InitiatingProcessVersionInfoFileDescription)
  • ActingProcessFileProduct (from InitiatingProcessVersionInfoProductName)
  • ActingProcessFileVersion (from InitiatingProcessVersionInfoProductVersion)
  • ActingProcessFileInternalName (from InitiatingProcessVersionInfoInternalFileName)
  • ActingProcessFileOriginalName (from InitiatingProcessVersionInfoOriginalFileName)
  • ActingProcessFileSize (from InitiatingProcessFileSize, null when zero)

Additional projections:

  • EventUid field mapping
  • AdditionalFields, DvcHostname, DvcDomain, DvcDomainType output projection

This is a data fidelity improvement — queries referencing these file metadata fields against these parsers previously returned null for all rows. No change to core filtering logic or entity types.

Affected Files

Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json
Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json
Parsers/ASimProcessEvent/CHANGELOG/ASimProcessEventMicrosoft365D.md
Parsers/ASimProcessEvent/CHANGELOG/vimProcessEventMicrosoft365D.md
Parsers/ASimProcessEvent/Parsers/ASimProcessEventMicrosoft365D.yaml
Parsers/ASimProcessEvent/Parsers/vimProcessEventMicrosoft365D.yaml
Sample Data/ASIM/Microsoft_M365 Defender for Endpoint_ProcessEvent_IngestedLogs.csv