demisto · eepstain · Dec 18, 2022 · Dec 15, 2022 · Dec 15, 2022 · Dec 15, 2022
diff --git a/...ytics/ModelingRules/MicrosoftAdvancedThreatAnalytics/MicrosoftAdvancedThreatAnalytics.xif b/...ytics/ModelingRules/MicrosoftAdvancedThreatAnalytics/MicrosoftAdvancedThreatAnalytics.xif
@@ -0,0 +1,18 @@
+[MODEL: dataset="microsoft_ata_raw"]
+alter
+    xdm.observer.unique_identifier = app, 
+    xdm.event.operation = msg,
+    xdm.source.host.hostname = shost, 
+    xdm.source.user.username = suser,
+    xdm.event.description = cefName,
+    // cefVersion
+    xdm.event.id = externalId,
+    xdm.alert.severity = cefSeverity,
+    xdm.observer.vendor = cefDeviceVendor,
+    xdm.observer.product = cefDeviceProduct,
+    xdm.observer.version = cefDeviceVersion,
+    xdm.event.type = cefDeviceEventClassId,
+    xdm.observer.type = cs1,
+    xdm.observer.action = cs1Label,
+    xdm.target.host.hostname = request,
+    xdm.event.operation_sub_type = requestMethod;
diff --git a/...ytics/ModelingRules/MicrosoftAdvancedThreatAnalytics/MicrosoftAdvancedThreatAnalytics.yml b/...ytics/ModelingRules/MicrosoftAdvancedThreatAnalytics/MicrosoftAdvancedThreatAnalytics.yml
@@ -0,0 +1,6 @@
+fromversion: 6.10.0
+id: Microsoft_Advanced_Threat_Analytics
+name: Microsoft Advanced Threat Analytics
+rules: ''
+schema: ''
+tags: ''
diff --git a/...delingRules/MicrosoftAdvancedThreatAnalytics/MicrosoftAdvancedThreatAnalytics_schema.json b/...delingRules/MicrosoftAdvancedThreatAnalytics/MicrosoftAdvancedThreatAnalytics_schema.json
@@ -0,0 +1,56 @@
+{
+    "microsoft_ata_raw": {
+      "app": {
+          "type": "string",
+          "is_array": false
+      },
+      "msg": {
+          "type": "string",
+          "is_array": false
+      },
+      "shost": {
+          "type": "string",
+          "is_array": false
+      },
+      "suser": {
+        "type": "string",
+        "is_array": false
+      },
+      "cefName": {
+          "type": "string",
+          "is_array": false
+      },
+      "externalId": {
+          "type": "string",
+          "is_array": false
+      },
+      "cefSeverity": {
+          "type": "string",
+          "is_array": false
+      },
+      "cefDeviceVendor": {
+        "type": "string",
+        "is_array": false
+      },
+      "cefDeviceProduct": {
+        "type": "string",
+        "is_array": false
+      },
+      "cefDeviceVersion": {
+        "type": "string",
+        "is_array": false
+      },
+      "cefDeviceEventClassId": {
+        "type": "string",
+        "is_array": false
+      },
+      "cs1": {
+        "type": "string",
+        "is_array": false
+      },
+      "cs1Label": {
+        "type": "string",
+        "is_array": false
+      }
+    }
+  }
diff --git a/...lingRules/MicrosoftAdvancedThreatAnalytics/MicrosoftAdvancedThreatAnalytics_testdata.json b/...lingRules/MicrosoftAdvancedThreatAnalytics/MicrosoftAdvancedThreatAnalytics_testdata.json
@@ -0,0 +1,28 @@
+{
+    "data": [
+        {
+            "test_data_event_id": "8c77aa82-ce1b-48e0-833f-01d2de14427d",
+            "vendor": "microsoft",
+            "product": "ata",
+            "dataset": "microsoft_ata_raw",
+            "event_data": {
+                "start": "", "app": "empty", "cs1": "https://viewmsata.domain.local/", "msg": "The Lightweight Gateway, sheker.local, stopped itself and will restart automatically to protect the domain controller from a low memory condition", "shost": "john.local", "suser": "john", "cefName": "GatewayLowMemoryMonitoringAlert", "request": "", "cs1Label": "url", "cefVersion": "CEF:0", "externalId": "1019", "cefSeverity": "5", "requestMethod": "", "cefDeviceVendor": "Microsoft", "cefDeviceProduct": "ATA", "cefDeviceVersion": "1.9.7576.49398", "cefDeviceEventClassId": "GatewayLowMemoryMonitoringAlert"
+            },
+            "expected_values": {
+                "xdm.event.operation": "The Lightweight Gateway, sheker.local, stopped itself and will restart automatically to protect the domain controller from a low memory condition",
+                "xdm.alert.severity": "5",
+                "xdm.observer.type": "url",
+                "xdm.source.user.username": "john",
+                "xdm.observer.product": "ATA",
+                "xdm.observer.unique_identifier": "empty",
+                "xdm.source.host.hostname": "john.local",
+                "xdm.observer.vendor": "Microsoft",
+                "xdm.observer.version": "1.9.7576.49398",
+                "xdm.event.id": "1019",
+                "xdm.observer.action": "https://viewmsata.domain.local/",
+                "xdm.event.type": "GatewayLowMemoryMonitoringAlert",
+                "xdm.event.description": "GatewayLowMemoryMonitoringAlert"
+            }
+        }
+    ]
+}
diff --git a/Packs/MicrosoftAdvancedThreatAnalytics/ReleaseNotes/1_0_9.md b/Packs/MicrosoftAdvancedThreatAnalytics/ReleaseNotes/1_0_9.md
@@ -0,0 +1,5 @@
+
+#### Modeling Rules
+##### New: Microsoft Advanced Threat Analytics
+- Aligned modeling rules to new XDM schema.
+- Queries and modeling rules in this content pack version support XDR 3.5 / XSIAM 1.3 or later.
diff --git a/Packs/MicrosoftAdvancedThreatAnalytics/pack_metadata.json b/Packs/MicrosoftAdvancedThreatAnalytics/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Microsoft Advanced Threat Analytics",
     "description": "Manage suspicious activities, monitoring alerts and entities on Microsoft ATA.",
     "support": "xsoar",
-    "currentVersion": "1.0.8",
+    "currentVersion": "1.0.9",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",