pC_microsoftdefenderepjsongroupmodifysuccessgroupmembershipchanged.md

May 13, 2026 ยท View on GitHub

Parser Content

{
Name = "microsoft-defenderep-json-group-modify-success-groupmembershipchanged"
  Vendor = Microsoft
  Product = "Microsoft Defender"
  Conditions = [ """"category":""", """"AdvancedHunting-IdentityDirectoryEvents"""", """"ActionType":""", """"Group Membership changed"""" ]
  ExtractionType = json
  TimeFormat = [ "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSSZ", "yyyy-MM-dd'T'HH:mm:ssZ" ]
  Fields = [
    """exa_json_path=$..Timestamp,exa_field_name=time""",
    """exa_json_path=$..TargetDeviceName,exa_field_name=src_host""",
    """exa_json_path=$..AccountDomain,exa_field_name=domain,exa_match_expr=!Contains(tolower($..AccountDomain), "null")"""
    """exa_json_path=$..AccountUpn,exa_regex=(({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.-])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+)|({user}[\w\.\-\!\#\^\~]{1,40}\$?)),exa_match_expr=!Contains(tolower($..AccountUpn), "null")""",
    """exa_json_path=$..Protocol,exa_field_name=protocol,exa_match_expr=!Contains(tolower($..Protocol), "")""",
    """exa_json_path=$..DestinationIPAddress,exa_regex=({dest_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({dest_port}\d+))?""",
    """exa_json_path=$..IPAddress,exa_regex=({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?""",
    """exa_json_path=$..DestinationPort,exa_field_name=dest_port""",
    """exa_json_path=$..Application,exa_field_name=app""",
    """exa_json_path=$.category,exa_field_name=category""",
    """exa_json_path=$..ActionType,exa_field_name=event_name""",
    """exa_json_path=$..AdditionalFields.AttackTechniques,exa_field_name=additional_info""",
    """exa_json_path=$..['TARGET_OBJECT.GROUP'],exa_field_name=group_name""",
    """exa_json_path=$..['TARGET_OBJECT.GROUP_SID'],exa_field_name=group_id"""
    """exa_json_path=$..DestinationDeviceName,exa_field_name=dest_host"""
    """exa_json_path=$..SourceAccountSid,exa_field_name=user_sid"""
    """exa_json_path=$.tenantId,exa_field_name=tenant_id"""
  ]
  ParserVersion = "v1.0.0"


}