Change log for ADFS
Date | Changes |
---|---|
2024-11-21 | Enhancement:
- Added support for a new format of JSON logs. - Changed "metadata.event_type" from "STATUS_UNCATEGORIZED" to "STATUS_UPDATE" where "has_principal" is true. - Changed "metadata.event_type" from "SYSTEM_AUDIT_LOG_UNCATEGORIZED" to "STATUS_UPDATE" where "has_principal" is true. |
2024-09-09 | Enhancement:
- Mapped "_raw.Event.System.Computer" to "principal.hostname" and "principal.asset.hostname". - Mapped "_raw.Event.System.EventRecordID" to "metadata.product_log_id". - Mapped "_raw.Event.System.Channel", "_raw.Event.System.Keywords", "_raw.Event.System.Task", "_raw.Event.System.Level", "_raw.Event.System.EventID._value", "_raw.Event.System.EventID.Qualifiers", "source", "index", "sourcetype", "host", and "cribl" to "additional.fields". |
2024-08-28 | Enhancement:
- Added support for the XML logs with "AuditBase" fields. |
2024-07-31 | Enhancement:
- Added support for a new format of JSON logs. |
2024-07-30 | Enhancement:
- Added support for the XML logs. |
2024-05-27 | Enhancement
- Added a Grok pattern to extract "Instance ID" from "Message" and map it to "target.resource.product_object_id". |
2023-08-18 | Enhancement
- Added a Grok pattern to extract "email" from "Message" and map it to "principal.user.email_addresses". |
2023-06-31 | Enhancement
- Mapped the field "user_email" to "principal.user.email_addresses". - Mapped the field "X-Forwarded-For" to "additional.fields". |
2023-06-26 | Enhancement
- Added kv block to extract the values from the field "Message" where "EventID" is "404", "403", "342", "364". - Mapped the field "Protocol Name" to "additional.fields". - Mapped the field "Relying Party" to "additional.fields". - Mapped the field "Exception details" to "additional.fields". - Mapped the field "Token Type" to "additional.fields". - Mapped the field "Error message" to "additional.fields". - Mapped the field "Client IP" to "principal.ip". - Mapped the field "Local IP" to "target.ip". - Mapped the field "Local Port" to "target.port". - Mapped the field "Url Absolute Path", "Query string" to "target.url". - Mapped the field "Instance ID" to "target.resource.product_object_id". - Mapped the field "Activity ID" to "security_result.detection_fields". - Mapped the field "Status Code" to "network.http.response_code". - Mapped the field "HTTP Method" to "network.http.method". - Mapped the field "User Agent" to "network.http.user_agent" and "network.http.parsed_user_agent". |
2023-06-08 | Enhancement
- Added 'on_error' condition for 'EventID' and 'RecordNumber' conversion. - Added validation check for the event_type 'SYSTEM_AUDIT_LOG_UNCATEGORIZED'. - Changed 'metadata.event_type' from 'GENERIC_EVENT' to 'STATUS_UPDATE' where 'principal.hostname' is not null. |
2023-02-02 | Enhancement
- Added "UNIX","UNIX_MS","ISO8601" in date block to parse logs for which "EventTime","EventReceivedTime" might be in this format. |
2022-08-09 | Bug fix
- Mapped AdapterSuffixName field to intermediary.hostname . |
2022-07-08 | Enhancement:
- Modified mapping for the field 'AdapterSuffixName' from 'target.asset.hostname' to 'intermediary.hostname'. |
2022-05-18 | Newly Created Parser
|