Stay organized with collections
Save and categorize content based on your preferences.
Change log for ADAUDIT_PLUS
Date
Changes
2025-04-10
Enhancement :
- Updated "event.idm.read_only_udm.metadata.event_type" to "USER_DELETION" when "target_user_present" is "true".
- Mapped flag "target_user_present" to true whenever "event.idm.read_only_udm.target.user.userid" udm field is not null.
- Added flag check "target_user_present" for "target.user.userid" before mapping "event.idm.read_only_udm.metadata.event_type" to "USER_DELETION".
- Validated IP for "shost" using grok pattern.
2025-03-03
Enhancement :
- Mapped "CALLER_USER_NAME" , "ATTRIBUTES_TEXT" , "MEMBER_NAME" , "MEMBER_SAM_ACCOUNT_NAME" and "MEMBER_DISPLAY_NAME" to "principal.resource.attribute.labels".
2025-02-19
Enhancement :
- Mapped "EVENT_NUMBER", "REMARKS", "EVENT_TYPE", "ATTRIBUTES_NEW_VALUE", "ATTRIBUTES_OLD_VALUE", and "OPERATION_TYPE" to "additional.fields".
- Mapped "EVENT_TYPE_TEXT" to "security_result.detection_fields".
- Mapped "ACCOUNT_NAME" to "principal.user.user_display_name".
2024-05-20
Enhancement :
- If the value of the field "outcome" is similar to "Success", set "security_result.action" to "ALLOW".
- If the value of the field "msg_data" is similar to "Success", set "security_result.action" to "ALLOW".
- Added a Grok pattern over "msg_data" to extract "act", "suid" and "reason".
- Mapped "msg_data" to "security_result.description".
- Mapped "cs1", "cs3", "cs4", "cs5", "cn1", "cn2", and "cn3" to ""additional.fields".
2024-01-19
Enhancement :
- Modified a Grok pattern to parse unparsed logs.
- Mapped "IP" to "principal.asset.ip".
- Mapped "_PrincipalIP" to "principal.asset.ip".
- Mapped "host" to "principal.asset.hostname".
- Mapped "principalHost" to "principal.asset.hostname".
- Mapped "SOURCE" to "principal.asset.hostname".
- Mapped "_TargetIP" to "target.asset.ip".
- Mapped "CLIENT_IP_ADDRESS" to "target.asset.hostname".
- Mapped "CLIENT_HOST_NAME" to "target.asset.hostname".
- Mapped "targetHost" to "target.asset.hostname".
2023-10-17
Bug-Fix :
- Added IP check before mapping "IP" to "principal.ip".
- Added IP check before mapping "CLIENT_IP_ADDRESS" to "target.ip".
- Added validation check for "ACCOUNT_SID" before mapping to "principal.group.windows_sid".
- Added validation check for "CALLER_USER_SID" before mapping to "target.group.windows_sid".
- When "principal" is present, set "event_type" to "STATUS_UPDATE".
- Modified a Grok pattern to parse "file_path" from new pattern of "FORMAT_MESSAGE".
- Added a check for "has_target_resource" when "event_type" is "SCHEDULED_TASK_CREATION".
2023-03-17
Enhancement :
- Supported CEF format logs and mapped the following fields:
- "IP" mapped to "principal.ip".
- "LOGIN NAME" mapped to "target.user.userid or target.user.email_addresses or target.user.user_display_name".
- "DOMAIN NAME" mapped to "principal.administrative_domain".
- "HOST" mapped to "principal.hostname".
- "ACCESS_MODE" mapped to "security_result.detection_fields".
- "STATUS" mapped to "security_result.summary".
- If "STATUS" is "success" then "security_result.action" mapped to "ALLOW" else if "STATUS" is "denied or incorrect" then "security_result.action" mapped to "BLOCK".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[],[],null,["Change log for ADAUDIT_PLUS\n\n| Date | Changes |\n|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| 2025-04-10 | Enhancement : - Updated \"event.idm.read_only_udm.metadata.event_type\" to \"USER_DELETION\" when \"target_user_present\" is \"true\". - Mapped flag \"target_user_present\" to true whenever \"event.idm.read_only_udm.target.user.userid\" udm field is not null. - Added flag check \"target_user_present\" for \"target.user.userid\" before mapping \"event.idm.read_only_udm.metadata.event_type\" to \"USER_DELETION\". - Validated IP for \"shost\" using grok pattern. |\n| 2025-03-03 | Enhancement : - Mapped \"CALLER_USER_NAME\" , \"ATTRIBUTES_TEXT\" , \"MEMBER_NAME\" , \"MEMBER_SAM_ACCOUNT_NAME\" and \"MEMBER_DISPLAY_NAME\" to \"principal.resource.attribute.labels\". |\n| 2025-02-19 | Enhancement : - Mapped \"EVENT_NUMBER\", \"REMARKS\", \"EVENT_TYPE\", \"ATTRIBUTES_NEW_VALUE\", \"ATTRIBUTES_OLD_VALUE\", and \"OPERATION_TYPE\" to \"additional.fields\". - Mapped \"EVENT_TYPE_TEXT\" to \"security_result.detection_fields\". - Mapped \"ACCOUNT_NAME\" to \"principal.user.user_display_name\". |\n| 2024-05-20 | Enhancement : - If the value of the field \"outcome\" is similar to \"Success\", set \"security_result.action\" to \"ALLOW\". - If the value of the field \"msg_data\" is similar to \"Success\", set \"security_result.action\" to \"ALLOW\". - Added a Grok pattern over \"msg_data\" to extract \"act\", \"suid\" and \"reason\". - Mapped \"msg_data\" to \"security_result.description\". - Mapped \"cs1\", \"cs3\", \"cs4\", \"cs5\", \"cn1\", \"cn2\", and \"cn3\" to \"\"additional.fields\". |\n| 2024-01-19 | Enhancement : - Modified a Grok pattern to parse unparsed logs. - Mapped \"IP\" to \"principal.asset.ip\". - Mapped \"_PrincipalIP\" to \"principal.asset.ip\". - Mapped \"host\" to \"principal.asset.hostname\". - Mapped \"principalHost\" to \"principal.asset.hostname\". - Mapped \"SOURCE\" to \"principal.asset.hostname\". - Mapped \"_TargetIP\" to \"target.asset.ip\". - Mapped \"CLIENT_IP_ADDRESS\" to \"target.asset.hostname\". - Mapped \"CLIENT_HOST_NAME\" to \"target.asset.hostname\". - Mapped \"targetHost\" to \"target.asset.hostname\". |\n| 2023-10-17 | Bug-Fix : - Added IP check before mapping \"IP\" to \"principal.ip\". - Added IP check before mapping \"CLIENT_IP_ADDRESS\" to \"target.ip\". - Added validation check for \"ACCOUNT_SID\" before mapping to \"principal.group.windows_sid\". - Added validation check for \"CALLER_USER_SID\" before mapping to \"target.group.windows_sid\". - When \"principal\" is present, set \"event_type\" to \"STATUS_UPDATE\". - Modified a Grok pattern to parse \"file_path\" from new pattern of \"FORMAT_MESSAGE\". - Added a check for \"has_target_resource\" when \"event_type\" is \"SCHEDULED_TASK_CREATION\". |\n| 2023-03-17 | Enhancement : - Supported CEF format logs and mapped the following fields: - \"IP\" mapped to \"principal.ip\". - \"LOGIN NAME\" mapped to \"target.user.userid or target.user.email_addresses or target.user.user_display_name\". - \"DOMAIN NAME\" mapped to \"principal.administrative_domain\". - \"HOST\" mapped to \"principal.hostname\". - \"ACCESS_MODE\" mapped to \"security_result.detection_fields\". - \"STATUS\" mapped to \"security_result.summary\". - If \"STATUS\" is \"success\" then \"security_result.action\" mapped to \"ALLOW\" else if \"STATUS\" is \"denied or incorrect\" then \"security_result.action\" mapped to \"BLOCK\". |"]]
