Change log for AZURE_ACTIVITY
| Date | Changes |
|---|---|
| 2024-09-25 | Enhancement:
- Mapped "DOMAIN_ACCOUNT_TYPE" to "principal.user.account_type" when identity.claims.idtyp" is equal to "user" - Mapped "SERVICE_ACCOUNT_TYPE" to "principal.user.account_type" when identity.claims.idtyp" is equal to "app" - Mapped "identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" to "principal.user.userid". - Mapped "identity.claims.http://schemas.microsoft.com/identity/claims/objectidentifier" to "principal.user.product_object_id". |
| 2024-08-21 | Enhancement:
- Mapped "identity.authorization.evidence.principalId" to "principal.user.userid". |
| 2024-08-08 | Enhancement:
- Added support to handle JSON logs. |
| 2024-07-10 | Enhancement:
- If "identity.authorization.evidence.principalType" is equal to "Group", then mapped "identity.authorization.evidence.principalId" to "principal.group.product_object_id". - If "identity.authorization.evidence.principalType" is equal to "User" or "ServicePrincipal", then mapped "identity.authorization.evidence.principalId" to "principal.user.product_object_id". - Added gsub to change field "properties" to "properties.test" and removed the field starting with only "properties". |
| 2024-07-08 | Enhancement:
- Mapped "properties.compromisedEntity", "properties.attackedResourceType", and "properties.intent" to "target.resource.attribute.labels". - Mapped "properties.severity" to "security_result.severity". |
| 2024-06-18 | Enhancement:
- Mapped "operationVersion" to "metadata.product_version". - Mapped "properties.authenticationRequirementPolicies.requirementProvider" and "properties.authenticationRequirementPolicies.detail" to "security_result.detection_fields". - Mapped "properties.authenticationDetails.StatusSequence", "properties.correlationId", "properties.uniqueTokenIdentifier" and "properties.authenticationDetails.RequestSequence" to "security_result.detection_fields". - Mapped "properties.appDisplayName" to "target.application". - Mapped "properties.conditionalAccessStatus", "properties.appliedConditionalAccessPolicies", "properties.authenticationContextClassReferences", "properties.signInTokenProtectionStatus", "properties.originalRequestId", "properties.authenticationProcessingDetails", "properties.clientCredentialType", "properties.processingTimeInMilliseconds", "properties.riskDetail", "properties.riskLevelAggregated", "properties.riskLevelDuringSignIn", "properties.riskState" and "properties.originalTransferMethod" to "additional.fields". - Mapped "properties.riskEventTypes", "properties.riskEventTypes_v2", "properties.homeTenantId", "properties.autonomousSystemNumber", "properties.autonomousSystemNumber" and "properties.privateLinkDetails" to "additional.fields". - Mapped "properties.resourceId", "properties.resourceTenantId" and "properties.resourceServicePrincipalId" to "target.resource.attribute.labels". - Mapped "properties.userType" to "principal.user.attribute.roles". - Mapped "properties.userPrincipalName" to "principal.user.email_addresses". - Mapped "properties.clientAppUsed" to "principal.application". - Mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id" and "principal.asset_id". - Mapped "properties.appId" to "target.resource.attribute.labels". - Mapped "properties.status.additionalDetails" to "security_result.description". - Mapped "properties.responseBody.name" to "security_result.rule_name". - Mapped "properties.responseBody.properties.sourcePortRanges" and "properties.responseBody.properties.destinationPortRanges" to "additional.fields". - When "properties.responseBody.properties.sourceAddressPrefixes" is a single ip address, then mapped it to "principal.ip". - When "properties.responseBody.properties.sourceAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields". - When "properties.responseBody.properties.sourceAddressPrefix" is a single ip address or ip address with port, then mapped it to "principal.ip" and "principal.port". - When "properties.responseBody.properties.sourceAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields". - When "properties.responseBody.properties.destinationAddressPrefixes" is a single ip address, then mapped it to "target.ip". - When "properties.responseBody.properties.destinationAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields". - When "properties.responseBody.properties.destinationAddressPrefix" is a single ip address or ip address with port, then mapped it to "target.ip" and "target.port". - When "properties.responseBody.properties.destinationAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields". - When "properties.responseBody.properties.sourcePortRange" is a single port, then mapped it to "principal.port". - When "properties.responseBody.properties.sourcePortRange" is a range of ports, then mapped it to "additional.fields". - When "properties.responseBody.properties.destinationPortRange" is a single port, then mapped it to "target.port". - When "properties.responseBody.properties.destinationPortRange" is a range of ports, then mapped it to "additional.fields". - Mapped "properties.id" and "properties.status.errorCode" to "security_result.detection_fields". - Mapped "properties.isInteractive" to "extensions.auth.mechanism". - When "properties.deviceDetail.operatingSystem" is "ANDROID", then mapped "principal.platform" to "ANDROID". |
| 2024-06-18 | Enhancement:
- Mapped "operationVersion" to "metadata.product_version". - Mapped "properties.authenticationRequirementPolicies.requirementProvider" and "properties.authenticationRequirementPolicies.detail" to "security_result.detection_fields". - Mapped "properties.authenticationDetails.StatusSequence", "properties.correlationId", "properties.uniqueTokenIdentifier" and "properties.authenticationDetails.RequestSequence" to "security_result.detection_fields". - Mapped "properties.appDisplayName" to "target.application". - Mapped "properties.conditionalAccessStatus", "properties.appliedConditionalAccessPolicies", "properties.authenticationContextClassReferences", "properties.signInTokenProtectionStatus", "properties.originalRequestId", "properties.authenticationProcessingDetails", "properties.clientCredentialType", "properties.processingTimeInMilliseconds", "properties.riskDetail", "properties.riskLevelAggregated", "properties.riskLevelDuringSignIn", "properties.riskState" and "properties.originalTransferMethod" to "additional.fields". - Mapped "properties.riskEventTypes", "properties.riskEventTypes_v2", "properties.homeTenantId", "properties.autonomousSystemNumber", "properties.autonomousSystemNumber" and "properties.privateLinkDetails" to "additional.fields". - Mapped "properties.resourceId", "properties.resourceTenantId" and "properties.resourceServicePrincipalId" to "target.resource.attribute.labels". - Mapped "properties.userType" to "principal.user.attribute.roles". - Mapped "properties.userPrincipalName" to "principal.user.email_addresses". - Mapped "properties.clientAppUsed" to "principal.application". - Mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id" and "principal.asset_id". - Mapped "properties.appId" to "target.resource.attribute.labels". - Mapped "properties.status.additionalDetails" to "security_result.description". - Mapped "properties.responseBody.name" to "security_result.rule_name". - Mapped "properties.responseBody.properties.sourcePortRanges" and "properties.responseBody.properties.destinationPortRanges" to "additional.fields". - When "properties.responseBody.properties.sourceAddressPrefixes" is a single ip address, then mapped it to "principal.ip". - When "properties.responseBody.properties.sourceAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields". - When "properties.responseBody.properties.sourceAddressPrefix" is a single ip address or ip address with port, then mapped it to "principal.ip" and "principal.port". - When "properties.responseBody.properties.sourceAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields". - When "properties.responseBody.properties.destinationAddressPrefixes" is a single ip address, then mapped it to "target.ip". - When "properties.responseBody.properties.destinationAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields". - When "properties.responseBody.properties.destinationAddressPrefix" is a single ip address or ip address with port, then mapped it to "target.ip" and "target.port". - When "properties.responseBody.properties.destinationAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields". - When "properties.responseBody.properties.sourcePortRange" is a single port, then mapped it to "principal.port". - When "properties.responseBody.properties.sourcePortRange" is a range of ports, then mapped it to "additional.fields". - When "properties.responseBody.properties.destinationPortRange" is a single port, then mapped it to "target.port". - When "properties.responseBody.properties.destinationPortRange" is a range of ports, then mapped it to "additional.fields". - Mapped "properties.id" and "properties.status.errorCode" to "security_result.detection_fields". - Mapped "properties.isInteractive" to "extensions.auth.mechanism". - When "properties.deviceDetail.operatingSystem" is "ANDROID", then mapped "principal.platform" to "ANDROID". |
| 2024-06-03 | Enhancement:
- Mapped "SUBSCRIPTIONS", "RESOURCEGROUPS", "STORAGEACCOUNTS", "PROVIDERS" and "SNAPSHOTS" from "resourceId" to "target.resource.attribute.labels". |
| 2024-05-21 | Enhancement:
- If "identity.authorization.evidence.principalType" is equal to "User", "Group", "Application", then map "principal.resource.type" to "UNSPECIFIED". - Mapped "identity.authorization.evidence.role" to "principal.user.role_name". - Mapped "identity.authorization.evidence.principalType" to "principal.resource.resource_subtype". - Mapped "identity.authorization.evidence.principalId" to "principal.user.product_object_id". - Mapped "identity.authorization.evidence.roleAssignmentId", "identity.authorization.evidence.roleAssignmentScope", "identity.authorization.evidence.roleDefinitionId" to "principal.resource.attribute.labels". |
| 2024-05-03 | Enhancement:
- When "category" is "SignInLogs", then mapped "properties.userDisplayName" to "principal.user.user_display_name". - Mapped "properties.requestbody.properties.priority" and "properties.response.properties.priority" to "security_result.detection_fields". - Mapped "properties.requestbody.properties.protocol" to "network.ip_protocol". - Mapped "properties.requestbody.properties.direction" to "network.direction". - Mapped "properties.response.properties.protocol" to "network.ip_protocol". - Mapped "properties.response.properties.direction" to "network.direction". - Mapped "properties.response.properties.destinationPortRange" to "target.port". |
| 2024-04-26 | Enhancement:
- Mapped "operationName.value" to "metadata.product_event_type". - Mapped "category.value" to "security_result.category_details". - Mapped "httpRequest.uri" to "network.http.referral_url". - Mapped "httpRequest.method" to "network.http.method". - Mapped "httpRequest.clientIpAddress" to "principal.ip" and "principal.asset.ip". - Mapped "eventDataId" to "security_result.detection_fields". - Mapped "httpRequest.clientRequestId" to "additional.fields". |
| 2024-04-16 | Enhancement:
- Added support to map "network.application_protocol" if "protocol" is known, else mapped "protocol" to "additional.fields". |
| 2024-04-12 | Enhancement:
- Mapped "properties.requestbody.properties.allowBlobPublicAccess" to "security_result.detection_fields". |
| 2024-04-10 | Enhancement:
- Mapped "resourceId" to "target.resource.name". - When "resourceId" is present, then mapped "targetResources.displayName", "identity", "Type", and "properties.resourceDisplayName" to "target.resource.attribute.labels". |
| 2024-03-29 | - Mapped "ResourceGUID" to "target.resource.product_object_id".
- Mapped "Type" to "target.resource.name". - Mapped "ClientCity" to "principal.location.city". - Mapped "ClientCountryOrRegion" to "principal.location.country_or_region". - Mapped "ClientIP" to "principal.ip" and "principal.asset.ip". - Mapped "ClientStateOrProvince" to "principal.location.state". - Mapped "ClientType" to "principal.resource.attribute.labels". - Mapped "IKey" to "target.resource.attribute.labels". - Mapped "_BilledSize" and "DurationMs" to "additional.fields". - Mapped "OperationId", "SDKVersion", and "ItemCount" to "properties.operationId". - Mapped "ParentId", "Properties.WebtestLocationId", "Properties.FullTestResultAvailable", "Properties.SourceId", "Properties._MS_altIds", "Properties.WebtestArmResourceName", "Properties.SyntheticMonitorId", and "Success" to "security_result.detection_fields". - Mapped "Message" to "metadata.description". - Mapped "Id" to "principal.resource.product_object_id". - Mapped "Name" to "principal.resource.name". |
| 2024-03-25 | - When "properties.requestbody.Properties.RoleDefinitionId" is not empty, then set "security_result.detection_fields.key" to "RequestBody roleDefinitionId".
- Mapped "properties.roleDefinitionId", "properties.principalId", "properties.responseBody.properties.roleDefinitionId", and "properties.requestbody.Properties.PrincipalId" to "security_result.detection_fields". |
| 2024-03-25 | - When "properties.requestbody.Properties.RoleDefinitionId" is not empty, then set "security_result.detection_fields.key" to "RequestBody roleDefinitionId".
- Mapped "properties.roleDefinitionId", "properties.principalId", "properties.responseBody.properties.roleDefinitionId", and "properties.requestbody.Properties.PrincipalId" to "security_result.detection_fields". |
| 2024-03-13 | Enhancement:
- Mapped "properties.requestbody.properties.roleDefinitionId" and "properties.requestbody.properties.principalId" to "security_result.detection_fields". |
| 2024-03-05 | Enhancement:
- Mapped "resultType" to "security_result.action_details". - Mapped "properties.requestbody.Properties.PrincipalId" to "principal.user.userid". - When "resultType" is not empty, then mapped "properties.status.failureReason" to "security_result.detection_fields". - Mapped "properties.hardwareProfile.vmSize", "properties.provisioningState", "properties.requestbody.Properties.RoleDefinitionId" to "security_result.detection_fields". |
| 2024-02-13 | Bug-Fix:
- When "identity.UserName" is email, then map to "principal.user.email_addresses", otherwise map it to "principal.user.user_display_name". |
| 2024-02-12 | Enhancement:
- Added support for JSON logs which are getting dropped. - Mapped "OperationNameValue" to "metadata.product_event_type". - Mapped "properties.eventDataId", "properties.subscriptionId", "properties.resourceGroup", and "properties.resourceProviderValue" to "security_result.detection_fields". - Mapped "Caller" to "principal.user.userid". - Mapped "ActivityStatusValue" to "security_result.action". |
| 2024-02-01 | Bug-Fix:
- When "category" field is having "NonInteractiveUserSignInLogs" value or "OperationName" is "Sign-in activity", then changing "metadata.event_type" from "USER_LOGOUT" to "USER_LOGIN". - Mapped "properties.incomingTokenType" and "properties.deviceDetail.browser" to "additional.fields". - Mapped "properties.userAgent" to "network.http.user_agent". - When "properties.userAgent" value does not exist, then only mapped "properties.deviceDetail.browser" to "network.http.user_agent". - Mapped parsed "user_agent_field" to "network.http.parsed_user_agent". - Mapped "properties.eventProperties.clientIPAddress" and "callerIpAddress" to "principal.asset.ip". - Mapped "hostname", "rscname" and "properties.eventProperties.compromisedHost" to "principal.asset.hostname". |
| 2024-01-07 | Bug-Fix:
- Added a Grok pattern to validate "callerIpAddress" as an IP address. - Mapped "properties.accountName" to "principal.user.userid". - Mapped "uri" to "network.http.refferal_url". - Mapped "properties.userAgentHeader" to "network.http.user_agent". - Mapped "properties.tlsVersion" to "network.tls.version". - Mapped "statusCode" to "network.http.response_code". - Mapped "protocol" to "network.application_protocol". - Mapped "properties.clientRequestId", "properties.etag", "properties.objectKey", "properties.responseMd5" and "resourceType" to "additional.fields". |
| 2023-10-09 | Enhancement:
- Added support to parse unparsed logs. - Renamed the following fields: From "OperationName" to "operationName". From "CorrelationId" to "correlationId". From "Category" to "category". From "ResourceId" to "resourceId". From "ResultType" to "resultType". - Mapped "ProviderName", "ProviderGuid" to "security_result.detection_fields". - Mapped "ResultDescription" to "metadata.description". |
| 2023-09-13 | Enhancement -
- Mapped "properties.eventCategory" to "security_result.detection_fields". - Mapped "opproperties.operationIderationName" to "security_result.detection_fields". - Mapped "properties.eventName" to "security_result.summary". - Mapped "properties.EventName" to "security_result.summary". - Mapped "properties.legacyResourceType" to "security_result.detection_fields". - Mapped "properties.CallerCredentialType" to "security_result.detection_fields". - Mapped "properties.EventChannel" to "security_result.detection_fields". - Mapped "properties.EventSource" to "security_result.detection_fields". - Mapped "properties.legacyResourceId" to "security_result.detection_fields". - Mapped "properties.eventProperties.User" to "principal.user.id" and "principal.user.email_addresses. - Mapped "properties.Caller" to "principal.user.id" and "principal.user.email_addresses. - Mapped "caller" to "principal.user.id" and "principal.user.email_addresses. - Mapped "properties.IpAddress" to "principal.ip". - Mapped "properties.Description_scrubbed" to "security_result.description". |
| 2023-02-22 | Enhancement -
- Mapped "tenantId" to "metadata.product_deployment_id". - Mapped "operationName" to "metadata.product_event_type". - Mapped "category" to "security_result.category_details". - Mapped "callerIpAddress" to "principal.ip". - Mapped "identity" to "target.resource.name". - Mapped "result" to "security_result.action_details". - Mapped "properties.activityDisplayName" to "security_result.summary". - Mapped "location" to "principal.location.name". - Mapped "Level" to "security_result.severity_details". - Mapped "properties.initiatedBy.app.displayName" to "principal.application". - Mapped "properties.targetResources.displayName" to "target.resource.name". - Mapped "properties.targetResources.id" to "target.resource.product_object_id". - Mapped "properties.targetResources.modifiedProperties.displayName" to "target.user.attribute.labels". - Mapped "properties.additionalDetails" to "additional.fields". - Mapped "properties.loggedByService" to "target.application". - Mapped "properties.userId" to "target.user.product_object_id". - Mapped "properties.resourceDisplayName" to "target.resource.name". - Mapped "properties.location.city" to "principal.location.city". - Mapped "properties.location.state" to "principal.location.state". - Mapped "properties.location.countryOrRegion" to "principal.location.country_or_region". - Mapped "properties.ipAddress" to "principal.ip". - Mapped "properties.location.geoCoordinates.latitude" to "principal.location.region_latitude". - Mapped "properties.location.geoCoordinates.longitude" to "principal.location.region_longitude". - Mapped "properties.servicePrincipalId" to "principal.user.userid". - Mapped "properties.servicePrincipalName" to "principal.user.user_display_name". - Mapped "properties.tokenIssuerType", "properties.authenticationProcessingDetails.0.value", "properties.operationType", "properties.authenticationRequirement", "properties.deviceDetail.trustType to "additional.fields". - Mapped "resultDescription" to "metadata.description". - Mapped "properties.userDisplayName" to "target.user.user_display_name". - Mapped "properties.appDisplayName" to "target.application". - Mapped "properties.userType" to "principal.user.attribute.roles". - Mapped "properties.status.failureReason" to "security_result.action_details". - Mapped "properties.deviceDetail.operatingSystem" to "principal.platform_version". - Mapped "properties.deviceDetail.displayName" to "principal.asset.hardware". - Mapped "properties.deviceDetail.browser" to "network.http.user_agent". - Mapped "properties.userPrincipalName" to "principal.user.email_addresses". |
| 2022-11-28 | Enhancement -
- Mapped the field 'correlationId' to 'security_result.detection_fields'. - Mapped the field 'level' to 'security_result.severity_details'. - Added following mapping for the category 'ResourceHealth' : - Mapped the field 'properties.legacyEventDataId' to 'security_result.detection_fields'. - Mapped the field 'properties.legacyChannels' to 'security_result.detection_fields'. - Mapped the field 'properties.legacySubscriptionId' to 'security_result.detection_fields'. - Mapped the field 'properties.legacyResourceGroup' to 'security_result.detection_fields'. - Mapped the field 'properties.legacyResourceProviderName' to 'security_result.detection_fields'. - Mapped the field 'properties.eventProperties.currentHealthStatus' to 'security_result.detection_fields'. - Mapped the field 'properties.eventProperties.previousHealthStatus' to 'security_result.detection_fields'. - Mapped the field 'properties.eventProperties.type' to 'security_result.detection_fields'. - Mapped the field 'properties.eventProperties.cause' to 'security_result.detection_fields'. |
| 2022-09-26 | Enhancement - Added fields.
Mapped "tenantId " to "metadata.product_deployment_id" |
| 2022-06-20 | Enhancement -
- Added conditional check for "entity_properties". - when "category" is equal to "Security" - Mapped "properties.eventProperties.clientIPAddress" to "principal.ip". - Mapped "properties.eventProperties.accountSessionId" to "network.session_id". - Mapped "properties.eventProperties.suspiciousProcess" to "target.process.file.full_path". - Mapped "properties.eventProperties.suspiciousCommandLine" to "target.process.command_line". - Mapped "properties.eventProperties.suspiciousProcessId" to "target.process.pid". - Mapped "properties.eventProperties.compromisedHost" to "principal.hostname". - Mapped "resultDescription" to "metadata.description" - Mapped "properties.legacySubscriptionId" to "security_result.detection_fields". - Mapped "properties.legacyResourceProviderName" to "security_result.detection_fields". |
| 2022-05-19 | Enhancement - Added and modified multiple fields.
- claims, Identity, aud, tenantid, principalId, action, appidacr, iat, exp, nbf, rh, uti, ver, xms_tcdt, principalType, roleAssignmentId, appid, aio, iss, nameidentifier, roleDefinitionId, scope mapped to security_result.detection_fields - resultSignature, resultType, hierarchy, resource_type, entity, mapped to additional.fields. - RoleLocation mapped to location.name. - category mapped to security_result.category_details. |