Stay organized with collections Save and categorize content based on your preferences.

Change log for AZURE_AD

Date Changes
2022-10-28 Enhancement:
- Mapped "additionalDetails.0.value" to "network.http.user_agent".
- Mapped "additionalDetails.1.value" to "target.resource.attribute.labels".
- Mapped "Id" to "metadata.product_log_id".
- Mapped "initiatedBy.user.id" to "principal.user.userid".
- Mapped "initiatedBy.user.displayName" to "principal.user.user_display_name".
- Mapped "initiatedBy.user.ipAddress" to "principal.ip".
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses".
- Mapped "operationType" to "security_result.action_details".
- Mapped "target.displayName" to "target.resource.name".
- Mapped "target.id" to "target.resource.id".
- Mapped "target.type" to "target.resource.type".
- Mapped "field.newValue" to "target.resource.product_object_id" if field.displayName is "AppRole.Id" else mapped "field.newValue" to "target.resource.attribute.labels".
- Added check for errorCode.
- Mapped "loggedByService" to "target.application".
- Mapped "activityDisplayName" to "metadata.product_event_type".
- Mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS" where "activityDisplayName" is "Add app role assignment to service principal".
2022-08-25 Enhancement:
- If "properties.initiatedBy.user.userPrincipalName" matches "email regex pattern" then mapped to "principal.user.email_addresses" else mapped to "principal.user.userid".
- If "properties.userPrincipalName" or "userPrincipalName" matches "email regex pattern" then mapped to "target.user.email_addresses" else mapped to "target.user.userid".
2022-08-11 Enhancement:
- Removed drop tag "TAG_MALFORMED_ENCODING".
- Added "event_type" "GENERIC_EVENT".
2022-05-29 Enhancement - Modified the for loop for the field 'riskEventTypes_v2' mapped to 'additional.fields'.
Mapped the field 'level' to 'security_result.severity_details'.
Mapped the field 'properties.result' to 'security_result.action_details'.
2022-04-20 Bug-fix - Parsed the logs with event "appDisplayName": "NotApplicable".
- Modified the for loop for the field 'riskEventTypes'.