Change log for AZURE_AD_AUDIT

Date Changes
2024-09-04 Enhancement:
- When "activityDisplayName" is "Add member to group", then mapped "objectId" to "target.group.product_object_id".
- When "activityDisplayName" is "Add member to group", then mapped "DisplayName" to "target.group.group_display_name".
2024-07-30 Enhancement:
- When "principal.user.userid" or "target.user.userid" is present, mapped only "metadata.event_type" to "USER_CHANGE_PERMISSIONS".
2024-06-26 Enhancement:
- Mapped delta between "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" to "additional.fields".
2024-06-10 Enhancement:
- When "initiatedBy.user.ipAddress" is having an IP, then set "principal_ip_present" to "true".
- Added a condition to set "metadata.event_type" to "USER_DELETION" only when "principal_ip_present" is "true".
2024-06-03 Enhancement:
- Added a JSON block to parse unparsed logs.
- Added a conditional check for "event_type" "USER_DELETION".
2024-05-20 Bug-Fix:
- Modified the mapping of the "targetResource".
- Mapped first iteration of the "targetResource" to "target" and the following iteration of "targetResource" to "about".
- Changed key name of "loggedByService" field to "loggedByService" from "log_Service".
- Changed mapping of "resourceId" from "target.resource.id" to "additional_fields".
- When "targetResources.type" = "Application", "Policy", "Role", "Directory", "RoleAssignment", "Request", "Provider", "Other", then mapped "targetResources.displayName" to "noun.resource.name"; "targetResources.id" to "noun.resource.product_object_id"; "noun.resource.resource_type" = "UNSPECIFIED" and "targetResource.type" to "noun.resource.resource_subtype".
- When "targetResources.type" = "User", then mapped "targetResources.displayName" to "noun.resource.name"; "targetResources.id" to "noun.resource.product_object_id"; "noun.resource.resource_type" = "UNSPECIFIED"; "targetResource.type" to "noun.resource.resource_subtype"; "targetResources.displayName" to "noun.user.user_display_name"; "targetResources.id" to "noun.user.product_object_id"; "targetResources.userPrincipalName" to "noun.user.userid".
- When "targetResources.type" = "ServicePrincipal", then mapped "targetResources.displayName" to "noun.resource.name", "targetResources.id" to "noun.resource.product_object_id", "noun.resource.resource_type" = "SERVICE_ACCOUNT", "targetResource.type" to "noun.resource.resource_subtype", "targetResources.displayName" to "noun.user.user_display_name", "targetResources.id" to "noun.user.product_object_id" and "targetResources.userPrincipalName" to "noun.user.userid".
- When "targetResources.type" = "Group", then mapped "targetResources.displayName" to "noun.resource.name", "targetResources.id" to "noun.resource.product_object_id", "noun.resource.resource_type" = "UNSPECIFIED" , "targetResource.type" to "noun.resource.resource_subtype", "targetResources.displayName" to "noun.group.group_display_name", "targetResources.id" to "noun.group.product_object_id", and "groupType" to "noun.group.attribute.labels".
2024-05-17 Enhancement:
- Mapped "initiatedBy.user.id" to "principal.user.product_object_id".
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.userid".
2024-03-18 Enhancement:
- Displayed "targetResources.modifiedProperties.displayname", "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" fields even when value is null.
- Mapped "callerIpAddress" to "principal.ip".
2024-03-12 Bug-Fix:
- Synced mappings of Azure Monitor envelope format log mappings to Microsoft Graph API format logs.
- Mapped "target.resource.resource_type" based on "targetResources.type".
- Mapped "targetResources.type" to "target.resource.type".
2024-03-04 Enhancement:
- Mapped "user_principal_name" from "initiatedBy.user.userPrincipalName" to "principal.resource.attribute.labels".
- Mapped "domain" from "initiatedBy.user.userPrincipalName" to "principal.administrative_domain".
- Mapped "loggedByService" and "properties.loggedByService" to "additional.fields".
- Changed mapping of "initiatedBy.user.id" from "principal.user.product_object_id" to "principal.user.userid".
- Mapped "tgt_user_principal_name" from "target.userPrincipalName" to "target.resource.attribute.labels".
- Mapped "domain" from "target.userPrincipalName" to "target.administrative_domain".
- Mapped "category" to "additional.fields".
- When "additionalDetails[n].key" is "AppId", then mapped "additionalDetails[n].value" to "target.process.pid".
- When "additionalDetails[n].key" is "User-Agent", then mapped "additionalDetails[n].value" to "network.http.user_agent" and "network.http.parsed_user_agent".
- Mapped "metadata.event_type" based on "loggedByService", "category" and "activityDisplayName".
- Mapped "targetResources.modifiedProperties.displayname", "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" to "additional.fields".
2024-02-21 Enhancement:
- Added conditional check if "principal.user.userid" is present before setting "metadata.event_type" to "USER_CREATION".
- Changed mapping of "initiatedBy.user.id" from "principal.user.userid" to "principal.user.product_object_id".
- Changed mapping of "initiatedBy.app.servicePrincipalId" from "principal.user.userid" to "principal.user.product_object_id".
- Changed mapping of "initiatedBy.app.servicePrincipalName" from "principal.user.user_display_name" to "principal.user.userid".
- Changed mapping of "properties.initiatedBy.user.id" from "principal.user.userid" to "principal.user.product_object_id".
- Changed mapping of "properties.initiatedBy.app.servicePrincipalId" from "principal.user.userid" to "principal.user.product_object_id".
- Changed mapping of "properties.initiatedBy.app.servicePrincipalName" from "principal.user.user_display_name" to "principal.user.userid".
- If "targetResourceType" value is similar to "User" or "ServicePrincipal", then changed mapping of "target.id" from "target.user.userid" to "target.user.product_object_id".
- If "targetResourceType" value is similar to "User" or "ServicePrincipal", then mapped "target.userPrincipalName" to "target.user.userid".
- If "targetResourceType" value is similar to "User" or "ServicePrincipal", then mapped "target.displayName" to "target.user.user_display_name".
2024-02-12 Enhancement:
- Added conditional check for "modifiedProperty.displayName", "modifiedProperty.newValue", and "modifiedProperty.oldValue".
- When "targetResource.id" is "User" or "ServicePrincipal", then mapped it to "target.user.userid".
2024-01-08 Bug-Fix:
- Added a Grok pattern to validate email values before mapping them to "principal.user.email_addresses" and "target.user.email_addresses".
2023-12-19 Enhancement:
- Mapped "targetResource.modifiedProperties.newValue", "targetResource.modifiedProperties.oldValue", and "targetResource.modifiedProperties.displayName" to "additional.fields".
2023-11-23 - Mapped "targetResources.0.modifiedProperties.newValue/oldValue" fields to "event.idm.read_only_udm.additional.fields".
- Added ip_address format check to "initiatedBy.user.ipAddress" prior mapping to udm.
2023-10-16 Enhancement: Modified the following mappings:
- Changed 'metadata.event_type' from 'USER_UNCATEGORIZED' to 'USER_RESOURCE_ACCESS' where 'target.type is not 'user'.
- Changed mapping of 'target.id' from 'principal.user.userid, to 'principal.user.group_or_identifiers' where 'target.type' is not 'user'.
- Mapped the field which has been mapped to 'target.resource.id' to 'target.resource.product_object_id' as well because 'target.resource.id' is deprecated.
2023-08-03 Enhancement: Modified the following mappings:
- Changed 'metadata.event_type' from 'USER_UNCATEGORIZED' to 'USER_CREATION' where 'activityDisplayName' is 'Add user'.
- Changed mapping of 'activityDisplayName' from 'metadata.description, to 'metadata.product_event_type'.
- Mapped appropriate 'metadata.event_type' where 'activityDisplayName' is 'Add member to group', 'Add owner to group'.
- All fields under 'targetResources' should be part of the UDM target.user. fields.
- 'target.user.userid' mapped against the correct 'id' under 'targetResource'.
- For 'activityDisplayName' as 'Add member to role outside of PIM (permanent)' in activityDisplayName' mapped 'target.user.xxx' when resource type is 'User'.
- For 'activityDisplayName' as 'Add Member to Role' mapped 'Role.WellKnownObjectName' to 'target.resource.attribute.roles.name'.
2023-07-24 Enhancement: Mapped "targetResources.modifiedProperties.newValue" to "target.user.title" when "targetResources.modifiedProperties.displayName" value contains "Role.DisplayName".
2023-05-25 Bug-fix: Changed mapping from "target.resource.attribute.labels.value" to "target.user.userid" when "targetResources.modifiedProperties.displayName" equals "mailNickname".
2023-05-05 Enhancement: Modified the following mappings-
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.product_object_id" when "targetResources.modifiedProperties.displayName" equals "objectId".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.user_display_name" when "targetResources.modifiedProperties.displayName" equals "displayName".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.first_name" when "targetResources.modifiedProperties.displayName" equals "givenName".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.title" when "targetResources.modifiedProperties.displayName" equals "jobTitle".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.email_addresses" when "targetResources.modifiedProperties.displayName" equals "mail".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.last_name" when "targetResources.modifiedProperties.displayName" equals "surname".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.department" when "targetResources.modifiedProperties.displayName" equals "department".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.office_address.name" when "targetResources.modifiedProperties.displayName" equals "physicalDeliveryOfficeName".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.employee_id" when "targetResources.modifiedProperties.displayName" equals "employeeId".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.phone_numbers" when "targetResources.modifiedProperties.displayName" equals "mobile".
2023-04-18 Enhancement:
- "initiatedBy.user.userPrincipalName" mapped to "principal.user.user_display_name" or "principal.user.userid" or "principal.user.email_addresses".
- "targetResources.type" mapped to "target.resource.attribute.labels".
2023-04-12 Enhancement -
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses" and "event_type" to "USER_UNCATEGORIZED".
when "initiatedBy.user.userPrincipalName" is not null.
- If "targetResources.modifiedProperties.displayName" is "userPrincipalName" than mapped it to "principal.user.email_addresses".
- Mapped "event_type" to "USER_UNCATEGORIZED" when "activityDisplayName" is in ["Issue an id_token to the application", "Set Company Information"].
2023-02-20 Bug-Fix -
- Mapped multiple IP addresses coming under key "additionalDetails.ClientIpAddress" to "principal.ip".
- Mapped metadata.event_type as "USER_UNCATEGORIZED" when "activityDisplayName" equals "Delete user" and "initiatedBy.user.userPrincipalName" field is not present.
2023-02-02 Enhancement - Mapped the following when "activityDisplayName" equals "Delete user" :
- Mapped "event_type" to "USER_DELETION".
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.userid".
2022-11-24 Enhancement -
- Mapped "modifiedProperties.newValue" to "target.resource.attribute.labels".
- Mapped "modifiedProperties.oldValue" to "src.resource.attribute.labels".
2022-11-07 Enhancement -
- Mapped "target.modifiedProperties.TargetId.DeviceId" to "event.idm.read_only_udm.target.asset.asset_id".
2022-09-16 Enhancement -
- Mapped "properties.initiatedBy.user.ipAddress" to "principal.ip".
- Mapped "properties.initiatedBy.user.userPrincipalName" to "principal.user.userid".
- Mapped "properties.resultReason" to "security_result.description".
- Mapped "identity" to "target.user.userid".
- Mapped "operationName" to "metadata.product_event_type".
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" where "properties.activityDisplayName" is "Get resource properties of a tenant".
- Mapped "category" and "properties.category" to "security_result.category_details".
- Mapped "resultDescription" to "metadata.description".
- Mapped "resultType" to "security_result.rule_id".
2022-06-20 Enhancement - Enhanced the parser to parse the logs with category : 'AuditLogs' and 'SignInLogs' by adding following mappings :
- Mapped the field 'properties.id' to 'metadata.product_log_id'.
- Mapped the field 'properties.loggedByService' to 'target.application'.
- Mapped the field 'Level' to 'security_result.severity' and 'security_result.severity_details'.
- Mapped the field 'properties.result' to 'security_result.summary' and 'security_result.action'.
- Mapped the field 'properties.operationType' to 'security_result.action_details'.
- Mapped the field 'properties.activityDisplayName' to 'metadata.description'.
- Mapped the field 'properties.category' to 'metadata.product_event_type'.
- Mapped the field 'properties.resultReason' to 'security_result.description'.
- Mapped the field 'properties.initiatedBy.app.displayName' to 'principal.application'.
- Mapped the field 'properties.ipAddress' to 'principal.ip'.
- Mapped the field 'properties.initiatedBy.app.servicePrincipalId' to 'principal.user.userid'.
- Mapped the field 'properties.initiatedBy.app.servicePrincipalName' to 'principal.user.user_display_name'.
- Mapped the field 'properties.appId' and 'properties.initiatedBy.app.appId' to 'principal.resource.attribute.labels'.
- Mapped the field 'properties.location.city' to 'principal.location.city'.
- Mapped the field 'properties.location.state' to 'principal.location.state'.
- Mapped the field 'properties.location.countryOrRegion' to 'principal.location.country_or_region'.
- Mapped the field 'properties.location.geoCoordinates.latitude' to 'principal.location.region_latitude'.
- Mapped the field 'properties.location.geoCoordinates.longitude' to 'principal.location.region_longitude'.
- Mapped the fields 'properties.targetResources.modifiedProperties' to 'target.user.attribute.labels'.
- Mapped the field 'targetResources.displayName' to 'target.user.user_display_name'.
- Mapped the field 'targetResources.id' to 'target.user.userid'.
- Mapped the fields 'properties.additionalDetails', 'properties.riskDetail', 'properties.riskEventTypes', 'properties.riskEventTypes_v2', 'properties.riskLevelAggregated', 'properties.riskLevelDuringSignIn', 'properties.riskState', 'properties.conditionalAccessStatus', 'tenantId' to 'additional.fields'.
- Mapped the field 'operationVersion' to 'metadata.product_version'.
- Mapped the field 'properties.appliedConditionalAccessPolicies.displayName' to 'about.user.user_display_name'.
- Mapped the field 'properties.appliedConditionalAccessPolicies..id' to 'about.user.userid'.
- Mapped the field 'properties.appliedConditionalAccessPolicies.result' to 'about.labels'.