Change log for ADFS

Date Changes
2024-11-21 Enhancement:
- Added support for a new format of JSON logs.
- Changed "metadata.event_type" from "STATUS_UNCATEGORIZED" to "STATUS_UPDATE" where "has_principal" is true.
- Changed "metadata.event_type" from "SYSTEM_AUDIT_LOG_UNCATEGORIZED" to "STATUS_UPDATE" where "has_principal" is true.
2024-09-09 Enhancement:
- Mapped "_raw.Event.System.Computer" to "principal.hostname" and "principal.asset.hostname".
- Mapped "_raw.Event.System.EventRecordID" to "metadata.product_log_id".
- Mapped "_raw.Event.System.Channel", "_raw.Event.System.Keywords", "_raw.Event.System.Task", "_raw.Event.System.Level", "_raw.Event.System.EventID._value", "_raw.Event.System.EventID.Qualifiers", "source", "index", "sourcetype", "host", and "cribl" to "additional.fields".
2024-08-28 Enhancement:
- Added support for the XML logs with "AuditBase" fields.
2024-07-31 Enhancement:
- Added support for a new format of JSON logs.
2024-07-30 Enhancement:
- Added support for the XML logs.
2024-05-27 Enhancement
- Added a Grok pattern to extract "Instance ID" from "Message" and map it to "target.resource.product_object_id".
2023-08-18 Enhancement
- Added a Grok pattern to extract "email" from "Message" and map it to "principal.user.email_addresses".
2023-06-31 Enhancement
- Mapped the field "user_email" to "principal.user.email_addresses".
- Mapped the field "X-Forwarded-For" to "additional.fields".
2023-06-26 Enhancement
- Added kv block to extract the values from the field "Message" where "EventID" is "404", "403", "342", "364".
- Mapped the field "Protocol Name" to "additional.fields".
- Mapped the field "Relying Party" to "additional.fields".
- Mapped the field "Exception details" to "additional.fields".
- Mapped the field "Token Type" to "additional.fields".
- Mapped the field "Error message" to "additional.fields".
- Mapped the field "Client IP" to "principal.ip".
- Mapped the field "Local IP" to "target.ip".
- Mapped the field "Local Port" to "target.port".
- Mapped the field "Url Absolute Path", "Query string" to "target.url".
- Mapped the field "Instance ID" to "target.resource.product_object_id".
- Mapped the field "Activity ID" to "security_result.detection_fields".
- Mapped the field "Status Code" to "network.http.response_code".
- Mapped the field "HTTP Method" to "network.http.method".
- Mapped the field "User Agent" to "network.http.user_agent" and "network.http.parsed_user_agent".
2023-06-08 Enhancement
- Added 'on_error' condition for 'EventID' and 'RecordNumber' conversion.
- Added validation check for the event_type 'SYSTEM_AUDIT_LOG_UNCATEGORIZED'.
- Changed 'metadata.event_type' from 'GENERIC_EVENT' to 'STATUS_UPDATE' where 'principal.hostname' is not null.
2023-02-02 Enhancement
- Added "UNIX","UNIX_MS","ISO8601" in date block to parse logs for which "EventTime","EventReceivedTime" might be in this format.
2022-08-09 Bug fix
- Mapped AdapterSuffixName field to intermediary.hostname .
2022-07-08 Enhancement:
- Modified mapping for the field 'AdapterSuffixName' from 'target.asset.hostname' to 'intermediary.hostname'.
2022-05-18 Newly Created Parser