Stay organized with collections Save and categorize content based on your preferences.

Change log for AZURE_AD_AUDIT

Date Changes
2022-11-24 Enhancement -
- Mapped "modifiedProperties.newValue" to "target.resource.attribute.labels".
- Mapped "modifiedProperties.oldValue" to "src.resource.attribute.labels".
2022-11-07 Enhancement -
- Mapped "target.modifiedProperties.TargetId.DeviceId" to "event.idm.read_only_udm.target.asset.asset_id".
2022-09-16 Enhancement -
- Mapped "properties.initiatedBy.user.ipAddress" to "principal.ip".
- Mapped "properties.initiatedBy.user.userPrincipalName" to "principal.user.userid".
- Mapped "properties.resultReason" to "security_result.description".
- Mapped "identity" to "target.user.userid".
- Mapped "operationName" to "metadata.product_event_type".
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" where "properties.activityDisplayName" is "Get resource properties of a tenant".
- Mapped "category" and "properties.category" to "security_result.category_details".
- Mapped "resultDescription" to "metadata.description".
- Mapped "resultType" to "security_result.rule_id".
2022-06-20 Enhancement - Enhanced the parser to parse the logs with category : 'AuditLogs' and 'SignInLogs' by adding following mappings :
- Mapped the field 'properties.id' to 'metadata.product_log_id'.
- Mapped the field 'properties.loggedByService' to 'target.application'.
- Mapped the field 'Level' to 'security_result.severity' and 'security_result.severity_details'.
- Mapped the field 'properties.result' to 'security_result.summary' and 'security_result.action'.
- Mapped the field 'properties.operationType' to 'security_result.action_details'.
- Mapped the field 'properties.activityDisplayName' to 'metadata.description'.
- Mapped the field 'properties.category' to 'metadata.product_event_type'.
- Mapped the field 'properties.resultReason' to 'security_result.description'.
- Mapped the field 'properties.initiatedBy.app.displayName' to 'principal.application'.
- Mapped the field 'properties.ipAddress' to 'principal.ip'.
- Mapped the field 'properties.initiatedBy.app.servicePrincipalId' to 'principal.user.userid'.
- Mapped the field 'properties.initiatedBy.app.servicePrincipalName' to 'principal.user.user_display_name'.
- Mapped the field 'properties.appId' and 'properties.initiatedBy.app.appId' to 'principal.resource.attribute.labels'.
- Mapped the field 'properties.location.city' to 'principal.location.city'.
- Mapped the field 'properties.location.state' to 'principal.location.state'.
- Mapped the field 'properties.location.countryOrRegion' to 'principal.location.country_or_region'.
- Mapped the field 'properties.location.geoCoordinates.latitude' to 'principal.location.region_latitude'.
- Mapped the field 'properties.location.geoCoordinates.longitude' to 'principal.location.region_longitude'.
- Mapped the fields 'properties.targetResources.modifiedProperties' to 'target.user.attribute.labels'.
- Mapped the field 'targetResources.displayName' to 'target.user.user_display_name'.
- Mapped the field 'targetResources.id' to 'target.user.userid'.
- Mapped the fields 'properties.additionalDetails', 'properties.riskDetail', 'properties.riskEventTypes', 'properties.riskEventTypes_v2', 'properties.riskLevelAggregated', 'properties.riskLevelDuringSignIn', 'properties.riskState', 'properties.conditionalAccessStatus', 'tenantId' to 'additional.fields'.
- Mapped the field 'operationVersion' to 'metadata.product_version'.
- Mapped the field 'properties.appliedConditionalAccessPolicies.displayName' to 'about.user.user_display_name'.
- Mapped the field 'properties.appliedConditionalAccessPolicies..id' to 'about.user.userid'.
- Mapped the field 'properties.appliedConditionalAccessPolicies.result' to 'about.labels'.