Change log for ADAUDIT_PLUS
| Date | Changes |
|---|---|
| 2025-04-10 | Enhancement :
- Updated "event.idm.read_only_udm.metadata.event_type" to "USER_DELETION" when "target_user_present" is "true". - Mapped flag "target_user_present" to true whenever "event.idm.read_only_udm.target.user.userid" udm field is not null. - Added flag check "target_user_present" for "target.user.userid" before mapping "event.idm.read_only_udm.metadata.event_type" to "USER_DELETION". - Validated IP for "shost" using grok pattern. |
| 2025-03-03 | Enhancement :
- Mapped "CALLER_USER_NAME" , "ATTRIBUTES_TEXT" , "MEMBER_NAME" , "MEMBER_SAM_ACCOUNT_NAME" and "MEMBER_DISPLAY_NAME" to "principal.resource.attribute.labels". |
| 2025-02-19 | Enhancement :
- Mapped "EVENT_NUMBER", "REMARKS", "EVENT_TYPE", "ATTRIBUTES_NEW_VALUE", "ATTRIBUTES_OLD_VALUE", and "OPERATION_TYPE" to "additional.fields". - Mapped "EVENT_TYPE_TEXT" to "security_result.detection_fields". - Mapped "ACCOUNT_NAME" to "principal.user.user_display_name". |
| 2024-05-20 | Enhancement :
- If the value of the field "outcome" is similar to "Success", set "security_result.action" to "ALLOW". - If the value of the field "msg_data" is similar to "Success", set "security_result.action" to "ALLOW". - Added a Grok pattern over "msg_data" to extract "act", "suid" and "reason". - Mapped "msg_data" to "security_result.description". - Mapped "cs1", "cs3", "cs4", "cs5", "cn1", "cn2", and "cn3" to ""additional.fields". |
| 2024-01-19 | Enhancement :
- Modified a Grok pattern to parse unparsed logs. - Mapped "IP" to "principal.asset.ip". - Mapped "_PrincipalIP" to "principal.asset.ip". - Mapped "host" to "principal.asset.hostname". - Mapped "principalHost" to "principal.asset.hostname". - Mapped "SOURCE" to "principal.asset.hostname". - Mapped "_TargetIP" to "target.asset.ip". - Mapped "CLIENT_IP_ADDRESS" to "target.asset.hostname". - Mapped "CLIENT_HOST_NAME" to "target.asset.hostname". - Mapped "targetHost" to "target.asset.hostname". |
| 2023-10-17 | Bug-Fix :
- Added IP check before mapping "IP" to "principal.ip". - Added IP check before mapping "CLIENT_IP_ADDRESS" to "target.ip". - Added validation check for "ACCOUNT_SID" before mapping to "principal.group.windows_sid". - Added validation check for "CALLER_USER_SID" before mapping to "target.group.windows_sid". - When "principal" is present, set "event_type" to "STATUS_UPDATE". - Modified a Grok pattern to parse "file_path" from new pattern of "FORMAT_MESSAGE". - Added a check for "has_target_resource" when "event_type" is "SCHEDULED_TASK_CREATION". |
| 2023-03-17 | Enhancement :
- Supported CEF format logs and mapped the following fields: - "IP" mapped to "principal.ip". - "LOGIN NAME" mapped to "target.user.userid or target.user.email_addresses or target.user.user_display_name". - "DOMAIN NAME" mapped to "principal.administrative_domain". - "HOST" mapped to "principal.hostname". - "ACCESS_MODE" mapped to "security_result.detection_fields". - "STATUS" mapped to "security_result.summary". - If "STATUS" is "success" then "security_result.action" mapped to "ALLOW" else if "STATUS" is "denied or incorrect" then "security_result.action" mapped to "BLOCK". |