Hello,
I am trying to create an extension for the Defender for Endpoint parser because the current prebuilt does not include some additional fields that I need. But I am running into a very odd issue, I was attempting to use some of the prebuilt logic that was accessing the field but I am continually getting this error message - “No UDM events or entities were generated for the current parser configuration. If this is not intended, rectify the code snippet/UDM mappings and then click preview.”
Here is my current parser logic:
filter{
mutate {
replace => {
"record_AdditionalFields" => "%{properties.AdditionalFields}"
}
}
statedump{
label => "start"
}
if [record_AdditionalFields] != "" {
json {
source => "record_AdditionalFields"
target => "_AdditionalFields"
array_function => "split_columns"
on_error => "properties_additional_fields_is_object"
}
if ![properties_additional_fields_is_object] {
for key, value in _AdditionalFields map {
mutate {
convert => {
"value" => "string"
}
on_error => "additional_field_value_conversion_error"
}
if [key] == "DnsQueryType" {
mutate {
replace => {
"network.dns.additional.type" => "%{value}"
}
}
}
mutate {
merge => {
"udm_event.idm.read_only_udm.additional.fields" => "dns_query_type"
}
}
mutate {
remove_field => ["dns_query_type"]
}
}
}
}
statedump{
label => "end"
}
mutate {
merge => {
"@output" => "udm_event"
}
on_error => "_"
}
}Here is the log that I am trying to validate against:
{
"time": "2026-01-26T14:55:48.2596506Z",
"tenantId": " [removed by moderator] [removed by moderator] ",
"operationName": "Publish",
"category": "AdvancedHunting-DeviceEvents",
"_TimeReceivedBySvc": "2026-01-26T14:54:09.7046051Z",
"properties": {
"DeviceId": " [removed by moderator] 0 [removed by moderator] 010",
"DeviceName": "newdevice",
"ReportId": 184155,
"InitiatingProcessId": 2464,
"InitiatingProcessCreationTime": "2026-01-16T01:52:46.7340349Z",
"InitiatingProcessCommandLine": "svchost.exe -k NetworkService -p",
"InitiatingProcessParentFileName": "services.exe",
"InitiatingProcessParentId": 1308,
"InitiatingProcessParentCreationTime": "2026-01-16T01:52:45.9827673Z",
"InitiatingProcessSHA1": "2938ff787f23b6a706526bf852bb9bc147225a77",
"InitiatingProcessMD5": "7b88d0896fbf43469a9959d59824a514",
"InitiatingProcessFileName": "svchost.exe",
"InitiatingProcessFolderPath": "c:\\windows\\system32\\svchost.exe",
"InitiatingProcessAccountName": "network service",
"InitiatingProcessAccountDomain": "nt authority",
"SHA1": null,
"MD5": null,
"FileName": null,
"FolderPath": null,
"AccountName": null,
"AccountDomain": null,
"AdditionalFields": "{\"DnsQueryString\":\"www.clarity.ms\",\"DnsQueryResult\":[\"{\\\"DnsQueryType\\\":\\\"CNAME\\\",\\\"Result\\\":\\\"tm-clarity-tag.trafficmanager.net\\\"}\",\"{\\\"DnsQueryType\\\":\\\"CNAME\\\",\\\"Result\\\":\\\"vmss-clarity-tag-eus2.eastus2.cloudapp.azure.com\\\"}\",\"{\\\"DnsQueryType\\\":\\\"SOA\\\",\\\"Result\\\":\\\"ns1-06.azure-dns.com\\\"}\"],\"ClientProcessName\":\"NisSrv.exe\",\"ClientProcessId\":\"10452\"}",
"InitiatingProcessAccountSid": "S-1-5-20",
"AppGuardContainerId": "",
"InitiatingProcessSHA256": "53a39b900e3bfbf384acd13f0fc2329fa8d42b61e993d8ed5adf3a1428005d26",
"SHA256": null,
"RemoteUrl": null,
"ProcessCreationTime": null,
"ProcessTokenElevation": null,
"ActionType": "DnsQueryResponse",
"FileOriginUrl": null,
"FileOriginIP": null,
"InitiatingProcessLogonId": 0,
"AccountSid": null,
"RemoteDeviceName": null,
"RegistryKey": null,
"RegistryValueName": null,
"RegistryValueData": null,
"LogonId": null,
"LocalIP": null,
"LocalPort": null,
"RemoteIP": null,
"RemotePort": null,
"ProcessId": null,
"ProcessCommandLine": null,
"InitiatingProcessAccountUpn": null,
"InitiatingProcessAccountObjectId": null,
"FileSize": null,
"InitiatingProcessFileSize": 88232,
"InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
"InitiatingProcessVersionInfoProductName": "Microsoft® Windows® Operating System",
"InitiatingProcessVersionInfoProductVersion": "10.0.26100.5074",
"InitiatingProcessVersionInfoInternalFileName": "svchost.exe",
"InitiatingProcessVersionInfoOriginalFileName": "svchost.exe",
"InitiatingProcessVersionInfoFileDescription": "Host Process for Windows Services",
"InitiatingProcessSessionId": 0,
"IsInitiatingProcessRemoteSession": false,
"InitiatingProcessRemoteSessionDeviceName": null,
"InitiatingProcessRemoteSessionIP": null,
"CreatedProcessSessionId": null,
"IsProcessRemoteSession": false,
"ProcessRemoteSessionDeviceName": null,
"ProcessRemoteSessionIP": null,
"InitiatingProcessUniqueId": " [removed by moderator] ",
"Timestamp": "2026-01-26T14:51:59.2103101Z",
"MachineGroup": "UnassignedGroup"
},
"Tenant": "DefaultTenant"
}Any help is much appreciated, I have never ran into that message before when attempting to build a parser and anything that I try it just keep popping up with the same message.
Thanks!