Change log for AZURE_AD

Date Changes
2024-12-05 Enhancement:
- Added support for new format of JSON logs.
2024-10-07 Enhancement:
- Mapped "properties.userPrincipalName" to "target.user.userid".
2024-09-04 Enhancement:
- Removed mapping of "correlationId" from "network.session_id".
2024-08-22 Enhancement:
- When "displayName" is "iphone", then mapped to "principal.resource.attribute.labels".
2024-07-05 Enhancement:
- Mapped "isInteractive" to "security_result.detection_fields".
2024-06-03 - Changed mapping of "policies.displayName" from "about.user.user_display_name" to "security_result.rule_name".
- Changed mapping of "policies.id" from "about.user.userid" to "security_result.rule_id".
- Changed mapping of "policies.result" from "about.labels" to "security_result.detection_fields".
2024-05-29 Enhancement:
- When "status.errorCode" is "0", then set "security_result.action" to "ALLOW".
2024-05-13 Bug-Fix:
- Mapped "userPrincipalName" to "target.user.userid".
2024-05-10 Enhancement:
- Mapped "networkLocationDetails.n.networkNames", "properties.networkLocationDetails.n.networkNames", "networkLocationDetails.n.networkType" and "properties.networkLocationDetails.n.networkType" to "additional.fields".
- Mapped "properties.userAgent" and "userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent".
2024-05-03 Bug-Fix:
- Added "on_error" check before mapping "target.modifiedProperties.n.newValue".
- Mapped "target.modifiedProperties.n.oldValue" and "target.modifiedProperties.n.displayName" to "target.resource.attribute.labels".
- Mapped "activityDisplayName" to "security_result.summary".
2024-04-30 Enhancement:
- Mapped "properties.authenticationDetails", "properties.networkLocationDetails", "properties.authenticationRequirementPolicies", "networkLocationDetails" and "authenticationRequirementPolicies" to "security_result.detection_fields".
2024-04-02 Enhancement:
- Mapped "authenticationRequirement" to "additional.fields".
2024-04-02 Enhancement:
- Mapped "authenticationRequirement" to "additional.fields".
2024-04-02 Enhancement:
- Mapped "authenticationRequirement" to "additional.fields".
2024-02-26 Enhancement:
- Mapped "appliedConditionalAccessPolicies" to "security_result".
- Mapped "isInteractive" to "extensions.auth.mechanism".
- Mapped "location.geoCoordinates.altitude" to "additional.fields".
2024-02-09 Enhancement:
- Mapped "authenticationDetails.authenticationMethod", "authenticationDetails.authenticationMethodDetail", "authenticationDetails.authenticationStepResultDetail", "authenticationDetails.authenticationStepDateTime", and "authenticationDetails.authenticationStepRequirement" to "security_result.detection_fields".
- Mapped "authenticationDetails.succeeded" to "security_result.action".
- Mapped "status.additionalDetails" to "security_result.description".
2024-01-11 Enhancement:
- Mapped "correlationId" to "security_result.detection_fields".
2023-11-20 Enhancement:
- Mapped "tenantId" to "metadata.product_deployment_id".
- Mapped "Level" to "security_result.severity_details" and "security_result.severity".
- Mapped "properties.userDisplayName" to "target.user.user_display_name".
- Mapped "identity" to "target.user.user_display_name".
- Mapped "properties.activityDateTime" to "metadata.event_timestamp".
- Mapped "properties.activity" to "security_result.summary".
- Mapped "resultSignature", "properties.riskLevel", "properties.isGuest", "properties.isDeleted", "properties.isProcessing",
"properties.riskLastUpdatedDateTime", "properties.riskType", "properties.riskEventType", "properties.riskState", "properties.riskDetail", "properties.source", "properties.detectionTimingType"
"properties.detectedDateTime", "properties.lastUpdatedDateTime", "properties.tokenIssuerType", "properties.homeTenantId", "properties.userType", "properties.crossTenantAccessType", "durationMs" to "additional.fields".
- Mapped "resourceId" to "target.resource.product_object_id".
- Mapped "properties.location.geoCoordinates.longitude" and "location.geoCoordinates.longitude" to "principal.location.region_coordinates.longitude".
- Mapped "properties.location.geoCoordinates.latitude" and "location.geoCoordinates.latitude" to "principal.location.region_coordinates.latitude".
2023-07-12 Enhancement:
- Mapped "deviceDetail.isCompliant", "deviceDetail.isManaged", "deviceDetail.trustType" to "principal.asset.attribute.labels".
- Mapped "deviceDetail.deviceId" to "principal.asset.asset_id".
- Mapped "deviceDetail.browser" to "network.http.user_agent".
- Mapped "deviceDetail.operatingSystem" to "principal.platform_version".
- Mapped "status.failureReason" to "additional.fields".
- Mapped "status.errorCode" to "security_result.rule_id".
- Mapped "deviceDetail.displayName" to "principal.asset.hardware".
2023-03-14 Enhancement:
- Mapped "browser" to "principal.resource.attribute.labels".
- Mapped "isCompliant", "isManaged", "trustType", to "principal.asset.attribute.labels".
- Mapped "domain" form "userPrincipalName" to "principal.administrative_domain".
2022-12-16 Enhancement:
- Added conditional check for the field 'initiatedBy.user.userPrincipalName' and mapped to 'principal.user.email_addresses'.
2022-10-28 Enhancement:
- Mapped "additionalDetails.0.value" to "network.http.user_agent".
- Mapped "additionalDetails.1.value" to "target.resource.attribute.labels".
- Mapped "Id" to "metadata.product_log_id".
- Mapped "initiatedBy.user.id" to "principal.user.userid".
- Mapped "initiatedBy.user.displayName" to "principal.user.user_display_name".
- Mapped "initiatedBy.user.ipAddress" to "principal.ip".
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses".
- Mapped "operationType" to "security_result.action_details".
- Mapped "target.displayName" to "target.resource.name".
- Mapped "target.id" to "target.resource.id".
- Mapped "target.type" to "target.resource.type".
- Mapped "field.newValue" to "target.resource.product_object_id" if field.displayName is "AppRole.Id" else mapped "field.newValue" to "target.resource.attribute.labels".
- Added check for errorCode.
- Mapped "loggedByService" to "target.application".
- Mapped "activityDisplayName" to "metadata.product_event_type".
- Mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS" where "activityDisplayName" is "Add app role assignment to service principal".
2022-08-25 Enhancement:
- If "properties.initiatedBy.user.userPrincipalName" matches "email regex pattern" then mapped to "principal.user.email_addresses" else mapped to "principal.user.userid".
- If "properties.userPrincipalName" or "userPrincipalName" matches "email regex pattern" then mapped to "target.user.email_addresses" else mapped to "target.user.userid".
2022-08-11 Enhancement:
- Removed drop tag "TAG_MALFORMED_ENCODING".
- Added "event_type" "GENERIC_EVENT".
2022-05-29 Enhancement - Modified the for loop for the field 'riskEventTypes_v2' mapped to 'additional.fields'.
Mapped the field 'level' to 'security_result.severity_details'.
Mapped the field 'properties.result' to 'security_result.action_details'.
2022-04-20 Bug-fix - Parsed the logs with event "appDisplayName": "NotApplicable".
- Modified the for loop for the field 'riskEventTypes'.