Change log for AZURE_ACTIVITY

Date Changes
2024-11-07 Enhancement:
- Mapped "identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" to "target.user.email_addresses".
- Mapped "identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" to "target.user.userid".
- Mapped "identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" to "target.user.user_display_name".
2024-09-25 Enhancement:
- Mapped "DOMAIN_ACCOUNT_TYPE" to "principal.user.account_type" when identity.claims.idtyp" is equal to "user"
- Mapped "SERVICE_ACCOUNT_TYPE" to "principal.user.account_type" when identity.claims.idtyp" is equal to "app"
- Mapped "identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" to "principal.user.userid".
- Mapped "identity.claims.http://schemas.microsoft.com/identity/claims/objectidentifier" to "principal.user.product_object_id".
2024-08-21 Enhancement:
- Mapped "identity.authorization.evidence.principalId" to "principal.user.userid".
2024-08-08 Enhancement:
- Added support to handle JSON logs.
2024-07-10 Enhancement:
- If "identity.authorization.evidence.principalType" is equal to "Group", then mapped "identity.authorization.evidence.principalId" to "principal.group.product_object_id".
- If "identity.authorization.evidence.principalType" is equal to "User" or "ServicePrincipal", then mapped "identity.authorization.evidence.principalId" to "principal.user.product_object_id".
- Added gsub to change field "properties" to "properties.test" and removed the field starting with only "properties".
2024-07-08 Enhancement:
- Mapped "properties.compromisedEntity", "properties.attackedResourceType", and "properties.intent" to "target.resource.attribute.labels".
- Mapped "properties.severity" to "security_result.severity".
2024-06-18 Enhancement:
- Mapped "operationVersion" to "metadata.product_version".
- Mapped "properties.authenticationRequirementPolicies.requirementProvider" and "properties.authenticationRequirementPolicies.detail" to "security_result.detection_fields".
- Mapped "properties.authenticationDetails.StatusSequence", "properties.correlationId", "properties.uniqueTokenIdentifier" and "properties.authenticationDetails.RequestSequence" to "security_result.detection_fields".
- Mapped "properties.appDisplayName" to "target.application".
- Mapped "properties.conditionalAccessStatus", "properties.appliedConditionalAccessPolicies", "properties.authenticationContextClassReferences", "properties.signInTokenProtectionStatus", "properties.originalRequestId", "properties.authenticationProcessingDetails", "properties.clientCredentialType", "properties.processingTimeInMilliseconds", "properties.riskDetail", "properties.riskLevelAggregated", "properties.riskLevelDuringSignIn", "properties.riskState" and "properties.originalTransferMethod" to "additional.fields".
- Mapped "properties.riskEventTypes", "properties.riskEventTypes_v2", "properties.homeTenantId", "properties.autonomousSystemNumber", "properties.autonomousSystemNumber" and "properties.privateLinkDetails" to "additional.fields".
- Mapped "properties.resourceId", "properties.resourceTenantId" and "properties.resourceServicePrincipalId" to "target.resource.attribute.labels".
- Mapped "properties.userType" to "principal.user.attribute.roles".
- Mapped "properties.userPrincipalName" to "principal.user.email_addresses".
- Mapped "properties.clientAppUsed" to "principal.application".
- Mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id" and "principal.asset_id".
- Mapped "properties.appId" to "target.resource.attribute.labels".
- Mapped "properties.status.additionalDetails" to "security_result.description".
- Mapped "properties.responseBody.name" to "security_result.rule_name".
- Mapped "properties.responseBody.properties.sourcePortRanges" and "properties.responseBody.properties.destinationPortRanges" to "additional.fields".
- When "properties.responseBody.properties.sourceAddressPrefixes" is a single ip address, then mapped it to "principal.ip".
- When "properties.responseBody.properties.sourceAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields".
- When "properties.responseBody.properties.sourceAddressPrefix" is a single ip address or ip address with port, then mapped it to "principal.ip" and "principal.port".
- When "properties.responseBody.properties.sourceAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields".
- When "properties.responseBody.properties.destinationAddressPrefixes" is a single ip address, then mapped it to "target.ip".
- When "properties.responseBody.properties.destinationAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields".
- When "properties.responseBody.properties.destinationAddressPrefix" is a single ip address or ip address with port, then mapped it to "target.ip" and "target.port".
- When "properties.responseBody.properties.destinationAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields".
- When "properties.responseBody.properties.sourcePortRange" is a single port, then mapped it to "principal.port".
- When "properties.responseBody.properties.sourcePortRange" is a range of ports, then mapped it to "additional.fields".
- When "properties.responseBody.properties.destinationPortRange" is a single port, then mapped it to "target.port".
- When "properties.responseBody.properties.destinationPortRange" is a range of ports, then mapped it to "additional.fields".
- Mapped "properties.id" and "properties.status.errorCode" to "security_result.detection_fields".
- Mapped "properties.isInteractive" to "extensions.auth.mechanism".
- When "properties.deviceDetail.operatingSystem" is "ANDROID", then mapped "principal.platform" to "ANDROID".
2024-06-18 Enhancement:
- Mapped "operationVersion" to "metadata.product_version".
- Mapped "properties.authenticationRequirementPolicies.requirementProvider" and "properties.authenticationRequirementPolicies.detail" to "security_result.detection_fields".
- Mapped "properties.authenticationDetails.StatusSequence", "properties.correlationId", "properties.uniqueTokenIdentifier" and "properties.authenticationDetails.RequestSequence" to "security_result.detection_fields".
- Mapped "properties.appDisplayName" to "target.application".
- Mapped "properties.conditionalAccessStatus", "properties.appliedConditionalAccessPolicies", "properties.authenticationContextClassReferences", "properties.signInTokenProtectionStatus", "properties.originalRequestId", "properties.authenticationProcessingDetails", "properties.clientCredentialType", "properties.processingTimeInMilliseconds", "properties.riskDetail", "properties.riskLevelAggregated", "properties.riskLevelDuringSignIn", "properties.riskState" and "properties.originalTransferMethod" to "additional.fields".
- Mapped "properties.riskEventTypes", "properties.riskEventTypes_v2", "properties.homeTenantId", "properties.autonomousSystemNumber", "properties.autonomousSystemNumber" and "properties.privateLinkDetails" to "additional.fields".
- Mapped "properties.resourceId", "properties.resourceTenantId" and "properties.resourceServicePrincipalId" to "target.resource.attribute.labels".
- Mapped "properties.userType" to "principal.user.attribute.roles".
- Mapped "properties.userPrincipalName" to "principal.user.email_addresses".
- Mapped "properties.clientAppUsed" to "principal.application".
- Mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id" and "principal.asset_id".
- Mapped "properties.appId" to "target.resource.attribute.labels".
- Mapped "properties.status.additionalDetails" to "security_result.description".
- Mapped "properties.responseBody.name" to "security_result.rule_name".
- Mapped "properties.responseBody.properties.sourcePortRanges" and "properties.responseBody.properties.destinationPortRanges" to "additional.fields".
- When "properties.responseBody.properties.sourceAddressPrefixes" is a single ip address, then mapped it to "principal.ip".
- When "properties.responseBody.properties.sourceAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields".
- When "properties.responseBody.properties.sourceAddressPrefix" is a single ip address or ip address with port, then mapped it to "principal.ip" and "principal.port".
- When "properties.responseBody.properties.sourceAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields".
- When "properties.responseBody.properties.destinationAddressPrefixes" is a single ip address, then mapped it to "target.ip".
- When "properties.responseBody.properties.destinationAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields".
- When "properties.responseBody.properties.destinationAddressPrefix" is a single ip address or ip address with port, then mapped it to "target.ip" and "target.port".
- When "properties.responseBody.properties.destinationAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields".
- When "properties.responseBody.properties.sourcePortRange" is a single port, then mapped it to "principal.port".
- When "properties.responseBody.properties.sourcePortRange" is a range of ports, then mapped it to "additional.fields".
- When "properties.responseBody.properties.destinationPortRange" is a single port, then mapped it to "target.port".
- When "properties.responseBody.properties.destinationPortRange" is a range of ports, then mapped it to "additional.fields".
- Mapped "properties.id" and "properties.status.errorCode" to "security_result.detection_fields".
- Mapped "properties.isInteractive" to "extensions.auth.mechanism".
- When "properties.deviceDetail.operatingSystem" is "ANDROID", then mapped "principal.platform" to "ANDROID".
2024-06-03 Enhancement:
- Mapped "SUBSCRIPTIONS", "RESOURCEGROUPS", "STORAGEACCOUNTS", "PROVIDERS" and "SNAPSHOTS" from "resourceId" to "target.resource.attribute.labels".
2024-05-21 Enhancement:
- If "identity.authorization.evidence.principalType" is equal to "User", "Group", "Application", then map "principal.resource.type" to "UNSPECIFIED".
- Mapped "identity.authorization.evidence.role" to "principal.user.role_name".
- Mapped "identity.authorization.evidence.principalType" to "principal.resource.resource_subtype".
- Mapped "identity.authorization.evidence.principalId" to "principal.user.product_object_id".
- Mapped "identity.authorization.evidence.roleAssignmentId", "identity.authorization.evidence.roleAssignmentScope", "identity.authorization.evidence.roleDefinitionId" to "principal.resource.attribute.labels".
2024-05-03 Enhancement:
- When "category" is "SignInLogs", then mapped "properties.userDisplayName" to "principal.user.user_display_name".
- Mapped "properties.requestbody.properties.priority" and "properties.response.properties.priority" to "security_result.detection_fields".
- Mapped "properties.requestbody.properties.protocol" to "network.ip_protocol".
- Mapped "properties.requestbody.properties.direction" to "network.direction".
- Mapped "properties.response.properties.protocol" to "network.ip_protocol".
- Mapped "properties.response.properties.direction" to "network.direction".
- Mapped "properties.response.properties.destinationPortRange" to "target.port".
2024-04-26 Enhancement:
- Mapped "operationName.value" to "metadata.product_event_type".
- Mapped "category.value" to "security_result.category_details".
- Mapped "httpRequest.uri" to "network.http.referral_url".
- Mapped "httpRequest.method" to "network.http.method".
- Mapped "httpRequest.clientIpAddress" to "principal.ip" and "principal.asset.ip".
- Mapped "eventDataId" to "security_result.detection_fields".
- Mapped "httpRequest.clientRequestId" to "additional.fields".
2024-04-16 Enhancement:
- Added support to map "network.application_protocol" if "protocol" is known, else mapped "protocol" to "additional.fields".
2024-04-12 Enhancement:
- Mapped "properties.requestbody.properties.allowBlobPublicAccess" to "security_result.detection_fields".
2024-04-10 Enhancement:
- Mapped "resourceId" to "target.resource.name".
- When "resourceId" is present, then mapped "targetResources.displayName", "identity", "Type", and "properties.resourceDisplayName" to "target.resource.attribute.labels".
2024-03-29 - Mapped "ResourceGUID" to "target.resource.product_object_id".
- Mapped "Type" to "target.resource.name".
- Mapped "ClientCity" to "principal.location.city".
- Mapped "ClientCountryOrRegion" to "principal.location.country_or_region".
- Mapped "ClientIP" to "principal.ip" and "principal.asset.ip".
- Mapped "ClientStateOrProvince" to "principal.location.state".
- Mapped "ClientType" to "principal.resource.attribute.labels".
- Mapped "IKey" to "target.resource.attribute.labels".
- Mapped "_BilledSize" and "DurationMs" to "additional.fields".
- Mapped "OperationId", "SDKVersion", and "ItemCount" to "properties.operationId".
- Mapped "ParentId", "Properties.WebtestLocationId", "Properties.FullTestResultAvailable", "Properties.SourceId", "Properties._MS_altIds", "Properties.WebtestArmResourceName", "Properties.SyntheticMonitorId", and "Success" to "security_result.detection_fields".
- Mapped "Message" to "metadata.description".
- Mapped "Id" to "principal.resource.product_object_id".
- Mapped "Name" to "principal.resource.name".
2024-03-25 - When "properties.requestbody.Properties.RoleDefinitionId" is not empty, then set "security_result.detection_fields.key" to "RequestBody roleDefinitionId".
- Mapped "properties.roleDefinitionId", "properties.principalId", "properties.responseBody.properties.roleDefinitionId", and "properties.requestbody.Properties.PrincipalId" to "security_result.detection_fields".
2024-03-25 - When "properties.requestbody.Properties.RoleDefinitionId" is not empty, then set "security_result.detection_fields.key" to "RequestBody roleDefinitionId".
- Mapped "properties.roleDefinitionId", "properties.principalId", "properties.responseBody.properties.roleDefinitionId", and "properties.requestbody.Properties.PrincipalId" to "security_result.detection_fields".
2024-03-13 Enhancement:
- Mapped "properties.requestbody.properties.roleDefinitionId" and "properties.requestbody.properties.principalId" to "security_result.detection_fields".
2024-03-05 Enhancement:
- Mapped "resultType" to "security_result.action_details".
- Mapped "properties.requestbody.Properties.PrincipalId" to "principal.user.userid".
- When "resultType" is not empty, then mapped "properties.status.failureReason" to "security_result.detection_fields".
- Mapped "properties.hardwareProfile.vmSize", "properties.provisioningState", "properties.requestbody.Properties.RoleDefinitionId" to "security_result.detection_fields".
2024-02-13 Bug-Fix:
- When "identity.UserName" is email, then map to "principal.user.email_addresses", otherwise map it to "principal.user.user_display_name".
2024-02-12 Enhancement:
- Added support for JSON logs which are getting dropped.
- Mapped "OperationNameValue" to "metadata.product_event_type".
- Mapped "properties.eventDataId", "properties.subscriptionId", "properties.resourceGroup", and "properties.resourceProviderValue" to "security_result.detection_fields".
- Mapped "Caller" to "principal.user.userid".
- Mapped "ActivityStatusValue" to "security_result.action".
2024-02-01 Bug-Fix:
- When "category" field is having "NonInteractiveUserSignInLogs" value or "OperationName" is "Sign-in activity", then changing "metadata.event_type" from "USER_LOGOUT" to "USER_LOGIN".
- Mapped "properties.incomingTokenType" and "properties.deviceDetail.browser" to "additional.fields".
- Mapped "properties.userAgent" to "network.http.user_agent".
- When "properties.userAgent" value does not exist, then only mapped "properties.deviceDetail.browser" to "network.http.user_agent".
- Mapped parsed "user_agent_field" to "network.http.parsed_user_agent".
- Mapped "properties.eventProperties.clientIPAddress" and "callerIpAddress" to "principal.asset.ip".
- Mapped "hostname", "rscname" and "properties.eventProperties.compromisedHost" to "principal.asset.hostname".
2024-01-07 Bug-Fix:
- Added a Grok pattern to validate "callerIpAddress" as an IP address.
- Mapped "properties.accountName" to "principal.user.userid".
- Mapped "uri" to "network.http.refferal_url".
- Mapped "properties.userAgentHeader" to "network.http.user_agent".
- Mapped "properties.tlsVersion" to "network.tls.version".
- Mapped "statusCode" to "network.http.response_code".
- Mapped "protocol" to "network.application_protocol".
- Mapped "properties.clientRequestId", "properties.etag", "properties.objectKey", "properties.responseMd5" and "resourceType" to "additional.fields".
2023-10-09 Enhancement:
- Added support to parse unparsed logs.
- Renamed the following fields:
From "OperationName" to "operationName".
From "CorrelationId" to "correlationId".
From "Category" to "category".
From "ResourceId" to "resourceId".
From "ResultType" to "resultType".
- Mapped "ProviderName", "ProviderGuid" to "security_result.detection_fields".
- Mapped "ResultDescription" to "metadata.description".
2023-09-13 Enhancement -
- Mapped "properties.eventCategory" to "security_result.detection_fields".
- Mapped "opproperties.operationIderationName" to "security_result.detection_fields".
- Mapped "properties.eventName" to "security_result.summary".
- Mapped "properties.EventName" to "security_result.summary".
- Mapped "properties.legacyResourceType" to "security_result.detection_fields".
- Mapped "properties.CallerCredentialType" to "security_result.detection_fields".
- Mapped "properties.EventChannel" to "security_result.detection_fields".
- Mapped "properties.EventSource" to "security_result.detection_fields".
- Mapped "properties.legacyResourceId" to "security_result.detection_fields".
- Mapped "properties.eventProperties.User" to "principal.user.id" and "principal.user.email_addresses.
- Mapped "properties.Caller" to "principal.user.id" and "principal.user.email_addresses.
- Mapped "caller" to "principal.user.id" and "principal.user.email_addresses.
- Mapped "properties.IpAddress" to "principal.ip".
- Mapped "properties.Description_scrubbed" to "security_result.description".
2023-02-22 Enhancement -
- Mapped "tenantId" to "metadata.product_deployment_id".
- Mapped "operationName" to "metadata.product_event_type".
- Mapped "category" to "security_result.category_details".
- Mapped "callerIpAddress" to "principal.ip".
- Mapped "identity" to "target.resource.name".
- Mapped "result" to "security_result.action_details".
- Mapped "properties.activityDisplayName" to "security_result.summary".
- Mapped "location" to "principal.location.name".
- Mapped "Level" to "security_result.severity_details".
- Mapped "properties.initiatedBy.app.displayName" to "principal.application".
- Mapped "properties.targetResources.displayName" to "target.resource.name".
- Mapped "properties.targetResources.id" to "target.resource.product_object_id".
- Mapped "properties.targetResources.modifiedProperties.displayName" to "target.user.attribute.labels".
- Mapped "properties.additionalDetails" to "additional.fields".
- Mapped "properties.loggedByService" to "target.application".
- Mapped "properties.userId" to "target.user.product_object_id".
- Mapped "properties.resourceDisplayName" to "target.resource.name".
- Mapped "properties.location.city" to "principal.location.city".
- Mapped "properties.location.state" to "principal.location.state".
- Mapped "properties.location.countryOrRegion" to "principal.location.country_or_region".
- Mapped "properties.ipAddress" to "principal.ip".
- Mapped "properties.location.geoCoordinates.latitude" to "principal.location.region_latitude".
- Mapped "properties.location.geoCoordinates.longitude" to "principal.location.region_longitude".
- Mapped "properties.servicePrincipalId" to "principal.user.userid".
- Mapped "properties.servicePrincipalName" to "principal.user.user_display_name".
- Mapped "properties.tokenIssuerType", "properties.authenticationProcessingDetails.0.value", "properties.operationType", "properties.authenticationRequirement", "properties.deviceDetail.trustType to "additional.fields".
- Mapped "resultDescription" to "metadata.description".
- Mapped "properties.userDisplayName" to "target.user.user_display_name".
- Mapped "properties.appDisplayName" to "target.application".
- Mapped "properties.userType" to "principal.user.attribute.roles".
- Mapped "properties.status.failureReason" to "security_result.action_details".
- Mapped "properties.deviceDetail.operatingSystem" to "principal.platform_version".
- Mapped "properties.deviceDetail.displayName" to "principal.asset.hardware".
- Mapped "properties.deviceDetail.browser" to "network.http.user_agent".
- Mapped "properties.userPrincipalName" to "principal.user.email_addresses".
2022-11-28 Enhancement -
- Mapped the field 'correlationId' to 'security_result.detection_fields'.
- Mapped the field 'level' to 'security_result.severity_details'.
- Added following mapping for the category 'ResourceHealth' :
- Mapped the field 'properties.legacyEventDataId' to 'security_result.detection_fields'.
- Mapped the field 'properties.legacyChannels' to 'security_result.detection_fields'.
- Mapped the field 'properties.legacySubscriptionId' to 'security_result.detection_fields'.
- Mapped the field 'properties.legacyResourceGroup' to 'security_result.detection_fields'.
- Mapped the field 'properties.legacyResourceProviderName' to 'security_result.detection_fields'.
- Mapped the field 'properties.eventProperties.currentHealthStatus' to 'security_result.detection_fields'.
- Mapped the field 'properties.eventProperties.previousHealthStatus' to 'security_result.detection_fields'.
- Mapped the field 'properties.eventProperties.type' to 'security_result.detection_fields'.
- Mapped the field 'properties.eventProperties.cause' to 'security_result.detection_fields'.
2022-09-26 Enhancement - Added fields.
Mapped "tenantId " to "metadata.product_deployment_id"
2022-06-20 Enhancement -
- Added conditional check for "entity_properties".
- when "category" is equal to "Security"
- Mapped "properties.eventProperties.clientIPAddress" to "principal.ip".
- Mapped "properties.eventProperties.accountSessionId" to "network.session_id".
- Mapped "properties.eventProperties.suspiciousProcess" to "target.process.file.full_path".
- Mapped "properties.eventProperties.suspiciousCommandLine" to "target.process.command_line".
- Mapped "properties.eventProperties.suspiciousProcessId" to "target.process.pid".
- Mapped "properties.eventProperties.compromisedHost" to "principal.hostname".
- Mapped "resultDescription" to "metadata.description"
- Mapped "properties.legacySubscriptionId" to "security_result.detection_fields".
- Mapped "properties.legacyResourceProviderName" to "security_result.detection_fields".
2022-05-19 Enhancement - Added and modified multiple fields.
- claims, Identity, aud, tenantid, principalId, action, appidacr, iat, exp, nbf, rh, uti, ver, xms_tcdt, principalType, roleAssignmentId, appid, aio, iss, nameidentifier, roleDefinitionId, scope mapped to security_result.detection_fields
- resultSignature, resultType, hierarchy, resource_type, entity, mapped to additional.fields.
- RoleLocation mapped to location.name.
- category mapped to security_result.category_details.