Change log for AZURE_AD_AUDIT
Date | Changes |
---|---|
2024-11-28 | Enhancement:
- Mapped "properties.deviceDetail.displayName" to "principal.asset.hardware.model". - Mapped "properties.authenticationDetails.authenticationMethod", "properties.authenticationDetails.authenticationStepDateTime", "properties.authenticationDetails.authenticationStepRequirement", "properties.authenticationDetails.authenticationStepResultDetail", and "properties.authenticationDetails.succeeded" to "security_result.detection_fields". - Mapped "properties.userAgent" to "network.http.user_agent". - Mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id" and "principal.asset_id". - Mapped "properties.deviceDetail.trustType" to "additional.fields". - Mapped "properties.deviceDetail.browser" to "principal.resource.attribute.labels". - Mapped "properties.deviceDetail.operatingSystem" to "principal.platform_version". |
2024-09-04 | Enhancement:
- When "activityDisplayName" is "Add member to group", then mapped "objectId" to "target.group.product_object_id". - When "activityDisplayName" is "Add member to group", then mapped "DisplayName" to "target.group.group_display_name". |
2024-07-30 | Enhancement:
- When "principal.user.userid" or "target.user.userid" is present, mapped only "metadata.event_type" to "USER_CHANGE_PERMISSIONS". |
2024-06-26 | Enhancement:
- Mapped delta between "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" to "additional.fields". |
2024-06-10 | Enhancement:
- When "initiatedBy.user.ipAddress" is having an IP, then set "principal_ip_present" to "true". - Added a condition to set "metadata.event_type" to "USER_DELETION" only when "principal_ip_present" is "true". |
2024-06-03 | Enhancement:
- Added a JSON block to parse unparsed logs. - Added a conditional check for "event_type" "USER_DELETION". |
2024-05-20 | Bug-Fix:
- Modified the mapping of the "targetResource". - Mapped first iteration of the "targetResource" to "target" and the following iteration of "targetResource" to "about". - Changed key name of "loggedByService" field to "loggedByService" from "log_Service". - Changed mapping of "resourceId" from "target.resource.id" to "additional_fields". - When "targetResources.type" = "Application", "Policy", "Role", "Directory", "RoleAssignment", "Request", "Provider", "Other", then mapped "targetResources.displayName" to "noun.resource.name"; "targetResources.id" to "noun.resource.product_object_id"; "noun.resource.resource_type" = "UNSPECIFIED" and "targetResource.type" to "noun.resource.resource_subtype". - When "targetResources.type" = "User", then mapped "targetResources.displayName" to "noun.resource.name"; "targetResources.id" to "noun.resource.product_object_id"; "noun.resource.resource_type" = "UNSPECIFIED"; "targetResource.type" to "noun.resource.resource_subtype"; "targetResources.displayName" to "noun.user.user_display_name"; "targetResources.id" to "noun.user.product_object_id"; "targetResources.userPrincipalName" to "noun.user.userid". - When "targetResources.type" = "ServicePrincipal", then mapped "targetResources.displayName" to "noun.resource.name", "targetResources.id" to "noun.resource.product_object_id", "noun.resource.resource_type" = "SERVICE_ACCOUNT", "targetResource.type" to "noun.resource.resource_subtype", "targetResources.displayName" to "noun.user.user_display_name", "targetResources.id" to "noun.user.product_object_id" and "targetResources.userPrincipalName" to "noun.user.userid". - When "targetResources.type" = "Group", then mapped "targetResources.displayName" to "noun.resource.name", "targetResources.id" to "noun.resource.product_object_id", "noun.resource.resource_type" = "UNSPECIFIED" , "targetResource.type" to "noun.resource.resource_subtype", "targetResources.displayName" to "noun.group.group_display_name", "targetResources.id" to "noun.group.product_object_id", and "groupType" to "noun.group.attribute.labels". |
2024-05-17 | Enhancement:
- Mapped "initiatedBy.user.id" to "principal.user.product_object_id". - Mapped "initiatedBy.user.userPrincipalName" to "principal.user.userid". |
2024-03-18 | Enhancement:
- Displayed "targetResources.modifiedProperties.displayname", "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" fields even when value is null. - Mapped "callerIpAddress" to "principal.ip". |
2024-03-12 | Bug-Fix:
- Synced mappings of Azure Monitor envelope format log mappings to Microsoft Graph API format logs. - Mapped "target.resource.resource_type" based on "targetResources.type". - Mapped "targetResources.type" to "target.resource.type". |
2024-03-04 | Enhancement:
- Mapped "user_principal_name" from "initiatedBy.user.userPrincipalName" to "principal.resource.attribute.labels". - Mapped "domain" from "initiatedBy.user.userPrincipalName" to "principal.administrative_domain". - Mapped "loggedByService" and "properties.loggedByService" to "additional.fields". - Changed mapping of "initiatedBy.user.id" from "principal.user.product_object_id" to "principal.user.userid". - Mapped "tgt_user_principal_name" from "target.userPrincipalName" to "target.resource.attribute.labels". - Mapped "domain" from "target.userPrincipalName" to "target.administrative_domain". - Mapped "category" to "additional.fields". - When "additionalDetails[n].key" is "AppId", then mapped "additionalDetails[n].value" to "target.process.pid". - When "additionalDetails[n].key" is "User-Agent", then mapped "additionalDetails[n].value" to "network.http.user_agent" and "network.http.parsed_user_agent". - Mapped "metadata.event_type" based on "loggedByService", "category" and "activityDisplayName". - Mapped "targetResources.modifiedProperties.displayname", "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" to "additional.fields". |
2024-02-21 | Enhancement:
- Added conditional check if "principal.user.userid" is present before setting "metadata.event_type" to "USER_CREATION". - Changed mapping of "initiatedBy.user.id" from "principal.user.userid" to "principal.user.product_object_id". - Changed mapping of "initiatedBy.app.servicePrincipalId" from "principal.user.userid" to "principal.user.product_object_id". - Changed mapping of "initiatedBy.app.servicePrincipalName" from "principal.user.user_display_name" to "principal.user.userid". - Changed mapping of "properties.initiatedBy.user.id" from "principal.user.userid" to "principal.user.product_object_id". - Changed mapping of "properties.initiatedBy.app.servicePrincipalId" from "principal.user.userid" to "principal.user.product_object_id". - Changed mapping of "properties.initiatedBy.app.servicePrincipalName" from "principal.user.user_display_name" to "principal.user.userid". - If "targetResourceType" value is similar to "User" or "ServicePrincipal", then changed mapping of "target.id" from "target.user.userid" to "target.user.product_object_id". - If "targetResourceType" value is similar to "User" or "ServicePrincipal", then mapped "target.userPrincipalName" to "target.user.userid". - If "targetResourceType" value is similar to "User" or "ServicePrincipal", then mapped "target.displayName" to "target.user.user_display_name". |
2024-02-12 | Enhancement:
- Added conditional check for "modifiedProperty.displayName", "modifiedProperty.newValue", and "modifiedProperty.oldValue". - When "targetResource.id" is "User" or "ServicePrincipal", then mapped it to "target.user.userid". |
2024-01-08 | Bug-Fix:
- Added a Grok pattern to validate email values before mapping them to "principal.user.email_addresses" and "target.user.email_addresses". |
2023-12-19 | Enhancement:
- Mapped "targetResource.modifiedProperties.newValue", "targetResource.modifiedProperties.oldValue", and "targetResource.modifiedProperties.displayName" to "additional.fields". |
2023-11-23 | - Mapped "targetResources.0.modifiedProperties.newValue/oldValue" fields to "event.idm.read_only_udm.additional.fields".
- Added ip_address format check to "initiatedBy.user.ipAddress" prior mapping to udm. |
2023-10-16 | Enhancement: Modified the following mappings:
- Changed 'metadata.event_type' from 'USER_UNCATEGORIZED' to 'USER_RESOURCE_ACCESS' where 'target.type is not 'user'. - Changed mapping of 'target.id' from 'principal.user.userid, to 'principal.user.group_or_identifiers' where 'target.type' is not 'user'. - Mapped the field which has been mapped to 'target.resource.id' to 'target.resource.product_object_id' as well because 'target.resource.id' is deprecated. |
2023-08-03 | Enhancement: Modified the following mappings:
- Changed 'metadata.event_type' from 'USER_UNCATEGORIZED' to 'USER_CREATION' where 'activityDisplayName' is 'Add user'. - Changed mapping of 'activityDisplayName' from 'metadata.description, to 'metadata.product_event_type'. - Mapped appropriate 'metadata.event_type' where 'activityDisplayName' is 'Add member to group', 'Add owner to group'. - All fields under 'targetResources' should be part of the UDM target.user. fields. - 'target.user.userid' mapped against the correct 'id' under 'targetResource'. - For 'activityDisplayName' as 'Add member to role outside of PIM (permanent)' in activityDisplayName' mapped 'target.user.xxx' when resource type is 'User'. - For 'activityDisplayName' as 'Add Member to Role' mapped 'Role.WellKnownObjectName' to 'target.resource.attribute.roles.name'. |
2023-07-24 | Enhancement: Mapped "targetResources.modifiedProperties.newValue" to "target.user.title" when "targetResources.modifiedProperties.displayName" value contains "Role.DisplayName".
|
2023-05-25 | Bug-fix: Changed mapping from "target.resource.attribute.labels.value" to "target.user.userid" when "targetResources.modifiedProperties.displayName" equals "mailNickname".
|
2023-05-05 | Enhancement: Modified the following mappings-
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.product_object_id" when "targetResources.modifiedProperties.displayName" equals "objectId". - Changed mapping from "target.resource.attribute.labels.value" to "target.user.user_display_name" when "targetResources.modifiedProperties.displayName" equals "displayName". - Changed mapping from "target.resource.attribute.labels.value" to "target.user.first_name" when "targetResources.modifiedProperties.displayName" equals "givenName". - Changed mapping from "target.resource.attribute.labels.value" to "target.user.title" when "targetResources.modifiedProperties.displayName" equals "jobTitle". - Changed mapping from "target.resource.attribute.labels.value" to "target.user.email_addresses" when "targetResources.modifiedProperties.displayName" equals "mail". - Changed mapping from "target.resource.attribute.labels.value" to "target.user.last_name" when "targetResources.modifiedProperties.displayName" equals "surname". - Changed mapping from "target.resource.attribute.labels.value" to "target.user.department" when "targetResources.modifiedProperties.displayName" equals "department". - Changed mapping from "target.resource.attribute.labels.value" to "target.user.office_address.name" when "targetResources.modifiedProperties.displayName" equals "physicalDeliveryOfficeName". - Changed mapping from "target.resource.attribute.labels.value" to "target.user.employee_id" when "targetResources.modifiedProperties.displayName" equals "employeeId". - Changed mapping from "target.resource.attribute.labels.value" to "target.user.phone_numbers" when "targetResources.modifiedProperties.displayName" equals "mobile". |
2023-04-18 | Enhancement:
- "initiatedBy.user.userPrincipalName" mapped to "principal.user.user_display_name" or "principal.user.userid" or "principal.user.email_addresses". - "targetResources.type" mapped to "target.resource.attribute.labels". |
2023-04-12 | Enhancement -
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses" and "event_type" to "USER_UNCATEGORIZED". when "initiatedBy.user.userPrincipalName" is not null. - If "targetResources.modifiedProperties.displayName" is "userPrincipalName" than mapped it to "principal.user.email_addresses". - Mapped "event_type" to "USER_UNCATEGORIZED" when "activityDisplayName" is in ["Issue an id_token to the application", "Set Company Information"]. |
2023-02-20 | Bug-Fix -
- Mapped multiple IP addresses coming under key "additionalDetails.ClientIpAddress" to "principal.ip". - Mapped metadata.event_type as "USER_UNCATEGORIZED" when "activityDisplayName" equals "Delete user" and "initiatedBy.user.userPrincipalName" field is not present. |
2023-02-02 | Enhancement - Mapped the following when "activityDisplayName" equals "Delete user" :
- Mapped "event_type" to "USER_DELETION". - Mapped "initiatedBy.user.userPrincipalName" to "principal.user.userid". |
2022-11-24 | Enhancement -
- Mapped "modifiedProperties.newValue" to "target.resource.attribute.labels". - Mapped "modifiedProperties.oldValue" to "src.resource.attribute.labels". |
2022-11-07 | Enhancement -
- Mapped "target.modifiedProperties.TargetId.DeviceId" to "event.idm.read_only_udm.target.asset.asset_id". |
2022-09-16 | Enhancement -
- Mapped "properties.initiatedBy.user.ipAddress" to "principal.ip". - Mapped "properties.initiatedBy.user.userPrincipalName" to "principal.user.userid". - Mapped "properties.resultReason" to "security_result.description". - Mapped "identity" to "target.user.userid". - Mapped "operationName" to "metadata.product_event_type". - Mapped "metadata.event_type" to "USER_UNCATEGORIZED" where "properties.activityDisplayName" is "Get resource properties of a tenant". - Mapped "category" and "properties.category" to "security_result.category_details". - Mapped "resultDescription" to "metadata.description". - Mapped "resultType" to "security_result.rule_id". |
2022-06-20 | Enhancement - Enhanced the parser to parse the logs with category : 'AuditLogs' and 'SignInLogs' by adding following mappings :
- Mapped the field 'properties.id' to 'metadata.product_log_id'. - Mapped the field 'properties.loggedByService' to 'target.application'. - Mapped the field 'Level' to 'security_result.severity' and 'security_result.severity_details'. - Mapped the field 'properties.result' to 'security_result.summary' and 'security_result.action'. - Mapped the field 'properties.operationType' to 'security_result.action_details'. - Mapped the field 'properties.activityDisplayName' to 'metadata.description'. - Mapped the field 'properties.category' to 'metadata.product_event_type'. - Mapped the field 'properties.resultReason' to 'security_result.description'. - Mapped the field 'properties.initiatedBy.app.displayName' to 'principal.application'. - Mapped the field 'properties.ipAddress' to 'principal.ip'. - Mapped the field 'properties.initiatedBy.app.servicePrincipalId' to 'principal.user.userid'. - Mapped the field 'properties.initiatedBy.app.servicePrincipalName' to 'principal.user.user_display_name'. - Mapped the field 'properties.appId' and 'properties.initiatedBy.app.appId' to 'principal.resource.attribute.labels'. - Mapped the field 'properties.location.city' to 'principal.location.city'. - Mapped the field 'properties.location.state' to 'principal.location.state'. - Mapped the field 'properties.location.countryOrRegion' to 'principal.location.country_or_region'. - Mapped the field 'properties.location.geoCoordinates.latitude' to 'principal.location.region_latitude'. - Mapped the field 'properties.location.geoCoordinates.longitude' to 'principal.location.region_longitude'. - Mapped the fields 'properties.targetResources.modifiedProperties' to 'target.user.attribute.labels'. - Mapped the field 'targetResources.displayName' to 'target.user.user_display_name'. - Mapped the field 'targetResources.id' to 'target.user.userid'. - Mapped the fields 'properties.additionalDetails', 'properties.riskDetail', 'properties.riskEventTypes', 'properties.riskEventTypes_v2', 'properties.riskLevelAggregated', 'properties.riskLevelDuringSignIn', 'properties.riskState', 'properties.conditionalAccessStatus', 'tenantId' to 'additional.fields'. - Mapped the field 'operationVersion' to 'metadata.product_version'. - Mapped the field 'properties.appliedConditionalAccessPolicies.displayName' to 'about.user.user_display_name'. - Mapped the field 'properties.appliedConditionalAccessPolicies..id' to 'about.user.userid'. - Mapped the field 'properties.appliedConditionalAccessPolicies.result' to 'about.labels'. |