Change log for AZURE_ACTIVITY

Date Changes
2024-03-13 Enhancement:
- Mapped "properties.requestbody.properties.roleDefinitionId" and "properties.requestbody.properties.principalId" to "security_result.detection_fields".
2024-03-05 Enhancement:
- Mapped "resultType" to "security_result.action_details".
- Mapped "properties.requestbody.Properties.PrincipalId" to "principal.user.userid".
- When "resultType" is not empty, then mapped "properties.status.failureReason" to "security_result.detection_fields".
- Mapped "properties.hardwareProfile.vmSize", "properties.provisioningState", "properties.requestbody.Properties.RoleDefinitionId" to "security_result.detection_fields".
2024-02-13 Bug-Fix:
- When "identity.UserName" is email, then map to "principal.user.email_addresses", otherwise map it to "principal.user.user_display_name".
2024-02-12 Enhancement:
- Added support for JSON logs which are getting dropped.
- Mapped "OperationNameValue" to "metadata.product_event_type".
- Mapped "properties.eventDataId", "properties.subscriptionId", "properties.resourceGroup", and "properties.resourceProviderValue" to "security_result.detection_fields".
- Mapped "Caller" to "principal.user.userid".
- Mapped "ActivityStatusValue" to "security_result.action".
2024-02-01 Bug-Fix:
- When "category" field is having "NonInteractiveUserSignInLogs" value or "OperationName" is "Sign-in activity", then changing "metadata.event_type" from "USER_LOGOUT" to "USER_LOGIN".
- Mapped "properties.incomingTokenType" and "properties.deviceDetail.browser" to "additional.fields".
- Mapped "properties.userAgent" to "network.http.user_agent".
- When "properties.userAgent" value does not exist, then only mapped "properties.deviceDetail.browser" to "network.http.user_agent".
- Mapped parsed "user_agent_field" to "network.http.parsed_user_agent".
- Mapped "properties.eventProperties.clientIPAddress" and "callerIpAddress" to "principal.asset.ip".
- Mapped "hostname", "rscname" and "properties.eventProperties.compromisedHost" to "principal.asset.hostname".
2024-01-07 Bug-Fix:
- Added a Grok pattern to validate "callerIpAddress" as an IP address.
- Mapped "properties.accountName" to "principal.user.userid".
- Mapped "uri" to "network.http.refferal_url".
- Mapped "properties.userAgentHeader" to "network.http.user_agent".
- Mapped "properties.tlsVersion" to "network.tls.version".
- Mapped "statusCode" to "network.http.response_code".
- Mapped "protocol" to "network.application_protocol".
- Mapped "properties.clientRequestId", "properties.etag", "properties.objectKey", "properties.responseMd5" and "resourceType" to "additional.fields".
2023-10-09 Enhancement:
- Added support to parse unparsed logs.
- Renamed the following fields:
From "OperationName" to "operationName".
From "CorrelationId" to "correlationId".
From "Category" to "category".
From "ResourceId" to "resourceId".
From "ResultType" to "resultType".
- Mapped "ProviderName", "ProviderGuid" to "security_result.detection_fields".
- Mapped "ResultDescription" to "metadata.description".
2023-09-13 Enhancement -
- Mapped "properties.eventCategory" to "security_result.detection_fields".
- Mapped "opproperties.operationIderationName" to "security_result.detection_fields".
- Mapped "properties.eventName" to "security_result.summary".
- Mapped "properties.EventName" to "security_result.summary".
- Mapped "properties.legacyResourceType" to "security_result.detection_fields".
- Mapped "properties.CallerCredentialType" to "security_result.detection_fields".
- Mapped "properties.EventChannel" to "security_result.detection_fields".
- Mapped "properties.EventSource" to "security_result.detection_fields".
- Mapped "properties.legacyResourceId" to "security_result.detection_fields".
- Mapped "properties.eventProperties.User" to "principal.user.id" and "principal.user.email_addresses.
- Mapped "properties.Caller" to "principal.user.id" and "principal.user.email_addresses.
- Mapped "caller" to "principal.user.id" and "principal.user.email_addresses.
- Mapped "properties.IpAddress" to "principal.ip".
- Mapped "properties.Description_scrubbed" to "security_result.description".
2023-02-22 Enhancement -
- Mapped "tenantId" to "metadata.product_deployment_id".
- Mapped "operationName" to "metadata.product_event_type".
- Mapped "category" to "security_result.category_details".
- Mapped "callerIpAddress" to "principal.ip".
- Mapped "identity" to "target.resource.name".
- Mapped "result" to "security_result.action_details".
- Mapped "properties.activityDisplayName" to "security_result.summary".
- Mapped "location" to "principal.location.name".
- Mapped "Level" to "security_result.severity_details".
- Mapped "properties.initiatedBy.app.displayName" to "principal.application".
- Mapped "properties.targetResources.displayName" to "target.resource.name".
- Mapped "properties.targetResources.id" to "target.resource.product_object_id".
- Mapped "properties.targetResources.modifiedProperties.displayName" to "target.user.attribute.labels".
- Mapped "properties.additionalDetails" to "additional.fields".
- Mapped "properties.loggedByService" to "target.application".
- Mapped "properties.userId" to "target.user.product_object_id".
- Mapped "properties.resourceDisplayName" to "target.resource.name".
- Mapped "properties.location.city" to "principal.location.city".
- Mapped "properties.location.state" to "principal.location.state".
- Mapped "properties.location.countryOrRegion" to "principal.location.country_or_region".
- Mapped "properties.ipAddress" to "principal.ip".
- Mapped "properties.location.geoCoordinates.latitude" to "principal.location.region_latitude".
- Mapped "properties.location.geoCoordinates.longitude" to "principal.location.region_longitude".
- Mapped "properties.servicePrincipalId" to "principal.user.userid".
- Mapped "properties.servicePrincipalName" to "principal.user.user_display_name".
- Mapped "properties.tokenIssuerType", "properties.authenticationProcessingDetails.0.value", "properties.operationType", "properties.authenticationRequirement", "properties.deviceDetail.trustType to "additional.fields".
- Mapped "resultDescription" to "metadata.description".
- Mapped "properties.userDisplayName" to "target.user.user_display_name".
- Mapped "properties.appDisplayName" to "target.application".
- Mapped "properties.userType" to "principal.user.attribute.roles".
- Mapped "properties.status.failureReason" to "security_result.action_details".
- Mapped "properties.deviceDetail.operatingSystem" to "principal.platform_version".
- Mapped "properties.deviceDetail.displayName" to "principal.asset.hardware".
- Mapped "properties.deviceDetail.browser" to "network.http.user_agent".
- Mapped "properties.userPrincipalName" to "principal.user.email_addresses".
2022-11-28 Enhancement -
- Mapped the field 'correlationId' to 'security_result.detection_fields'.
- Mapped the field 'level' to 'security_result.severity_details'.
- Added following mapping for the category 'ResourceHealth' :
- Mapped the field 'properties.legacyEventDataId' to 'security_result.detection_fields'.
- Mapped the field 'properties.legacyChannels' to 'security_result.detection_fields'.
- Mapped the field 'properties.legacySubscriptionId' to 'security_result.detection_fields'.
- Mapped the field 'properties.legacyResourceGroup' to 'security_result.detection_fields'.
- Mapped the field 'properties.legacyResourceProviderName' to 'security_result.detection_fields'.
- Mapped the field 'properties.eventProperties.currentHealthStatus' to 'security_result.detection_fields'.
- Mapped the field 'properties.eventProperties.previousHealthStatus' to 'security_result.detection_fields'.
- Mapped the field 'properties.eventProperties.type' to 'security_result.detection_fields'.
- Mapped the field 'properties.eventProperties.cause' to 'security_result.detection_fields'.
2022-09-26 Enhancement - Added fields.
Mapped "tenantId " to "metadata.product_deployment_id"
2022-06-20 Enhancement -
- Added conditional check for "entity_properties".
- when "category" is equal to "Security"
- Mapped "properties.eventProperties.clientIPAddress" to "principal.ip".
- Mapped "properties.eventProperties.accountSessionId" to "network.session_id".
- Mapped "properties.eventProperties.suspiciousProcess" to "target.process.file.full_path".
- Mapped "properties.eventProperties.suspiciousCommandLine" to "target.process.command_line".
- Mapped "properties.eventProperties.suspiciousProcessId" to "target.process.pid".
- Mapped "properties.eventProperties.compromisedHost" to "principal.hostname".
- Mapped "resultDescription" to "metadata.description"
- Mapped "properties.legacySubscriptionId" to "security_result.detection_fields".
- Mapped "properties.legacyResourceProviderName" to "security_result.detection_fields".
2022-05-19 Enhancement - Added and modified multiple fields.
- claims, Identity, aud, tenantid, principalId, action, appidacr, iat, exp, nbf, rh, uti, ver, xms_tcdt, principalType, roleAssignmentId, appid, aio, iss, nameidentifier, roleDefinitionId, scope mapped to security_result.detection_fields
- resultSignature, resultType, hierarchy, resource_type, entity, mapped to additional.fields.
- RoleLocation mapped to location.name.
- category mapped to security_result.category_details.