Microsoft Defender for Endpoint data mapping

The Microsoft DefenderĀ® for Endpoint Connected Assets and Risk connector incrementally synchronizes the contents of the Microsoft Defender for Endpoint asset databases with the data that is managed by the Connected Assets and Risk service.

The following table shows the Connected Assets and Risk connector to Machine Network Profile data mapping.

Table 1. Machine Network Profile data mapping
CAR vertex/edge CAR field ATP field
IPAddress (Private) _key Machine NetworkInfo -> IPAddresses
IPAddress (Public) _key Machine Info -> PublicIP
MacAddress _key Machine NetworkInfo -> MacAddress
IPAddress_MacAddress _from ipaddress/_key(ipaddress node)
  _to macaddress/_key(macaddress node)
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key
Asset_IPAddress from_external_id external_id of the machine
  _to ipaddress/_key(ipaddress node)
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key
The following table shows the Connected Assets and Risk connector to Users data mapping.
Table 2. Users data mapping
CAR vertex/edge CAR field ATP field
User _key User -> accountName
Asset_User _from_external_id Machine -> i d
  _to 'user/' + user -> accountName
  report report -> _key
  source source -> _key
  active True
  timestamp report -> timestamp
User_Hostname _from 'user/' + user -> accountName
  _to hostname/' + Machine -> computerDnsName
  report report -> _key
  source source -> _key
  active True
  timestamp report -> timestamp
Report_User _from 'report/' + report -> _key
  _to 'user/' + user -> accountName
  source source -> _key
  active True
  timestamp report -> timestamp
The following table shows the Connected Assets and Risk connector to Vulnerabilities data mapping.
Table 3. Vulnerabilities data mapping
CAR vertex/edge CAR field ATP field
Asset Name Machine -> computerDnsName
  Description Custom message with: osPlatform
  external ID Machine -> id
Vulnerability external_id Alerts -> id
  name Alerts -> title
  Description Alerts -> description
  disclosed_on Alerts -> firstEventTime
  published_on Alerts -> alertCreationTime
Asset_Vulnerability from_external_id external_id of the machine
  to_external_id Alerts -> id
  active TRUE
  timestamp report -> timestamp
  source source -> _key
  report report -> _key