The Microsoft Defender for Endpoint
Connected Assets and Risk connector incrementally
synchronizes the contents of the Microsoft Defender for Endpoint
asset databases with the data that is managed by the Connected Assets and Risk service.
The following table shows the Connected Assets and Risk
connector to Machine Network Profile data mapping.
Table 1. Machine Network Profile data mapping
CAR vertex/edge |
CAR field |
ATP field |
IPAddress (Private) |
_key |
Machine NetworkInfo -> IPAddresses |
IPAddress (Public) |
_key |
Machine Info -> PublicIP |
MacAddress |
_key |
Machine NetworkInfo -> MacAddress |
IPAddress_MacAddress |
_from |
ipaddress/_key(ipaddress node) |
|
_to |
macaddress/_key(macaddress node) |
|
active |
TRUE |
|
timestamp |
report -> timestamp |
|
source |
source -> _key |
|
report |
report -> _key |
Asset_IPAddress |
from_external_id |
external_id of the machine |
|
_to |
ipaddress/_key(ipaddress node) |
|
active |
TRUE |
|
timestamp |
report -> timestamp |
|
source |
source -> _key |
|
report |
report -> _key |
The following table shows the
Connected Assets and Risk
connector to Users data mapping.
Table 2. Users data
mapping
CAR vertex/edge |
CAR field |
ATP field |
User |
_key |
User -> accountName |
Asset_User |
_from_external_id |
Machine -> i d |
|
_to |
'user/' + user -> accountName |
|
report |
report -> _key |
|
source |
source -> _key |
|
active |
True |
|
timestamp |
report -> timestamp |
User_Hostname |
_from |
'user/' + user -> accountName |
|
_to |
hostname/' + Machine -> computerDnsName |
|
report |
report -> _key |
|
source |
source -> _key |
|
active |
True |
|
timestamp |
report -> timestamp |
The following table shows the
Connected Assets and Risk
connector to Vulnerabilities data mapping.
Table 3. Vulnerabilities data
mapping
CAR vertex/edge |
CAR field |
ATP field |
Asset |
Name |
Machine -> computerDnsName |
|
Description |
Custom message with: osPlatform |
|
external ID |
Machine -> id |
Vulnerability |
external_id |
Alerts -> id |
|
name |
Alerts -> title |
|
Description |
Alerts -> description |
|
disclosed_on |
Alerts -> firstEventTime |
|
published_on |
Alerts -> alertCreationTime |
Asset_Vulnerability |
from_external_id |
external_id of the machine |
|
to_external_id |
Alerts -> id |
|
active |
TRUE |
|
timestamp |
report -> timestamp |
|
source |
source -> _key |
|
report |
report -> _key |