Change log for AZURE_AD
Date | Changes |
---|---|
2024-02-26 | Enhancement:
- Mapped "appliedConditionalAccessPolicies" to "security_result". - Mapped "isInteractive" to "extensions.auth.mechanism". - Mapped "location.geoCoordinates.altitude" to "additional.fields". |
2024-02-09 | Enhancement:
- Mapped "authenticationDetails.authenticationMethod", "authenticationDetails.authenticationMethodDetail", "authenticationDetails.authenticationStepResultDetail", "authenticationDetails.authenticationStepDateTime", and "authenticationDetails.authenticationStepRequirement" to "security_result.detection_fields". - Mapped "authenticationDetails.succeeded" to "security_result.action". - Mapped "status.additionalDetails" to "security_result.description". |
2024-01-11 | Enhancement:
- Mapped "correlationId" to "security_result.detection_fields". |
2023-11-20 | Enhancement:
- Mapped "tenantId" to "metadata.product_deployment_id". - Mapped "Level" to "security_result.severity_details" and "security_result.severity". - Mapped "properties.userDisplayName" to "target.user.user_display_name". - Mapped "identity" to "target.user.user_display_name". - Mapped "properties.activityDateTime" to "metadata.event_timestamp". - Mapped "properties.activity" to "security_result.summary". - Mapped "resultSignature", "properties.riskLevel", "properties.isGuest", "properties.isDeleted", "properties.isProcessing", "properties.riskLastUpdatedDateTime", "properties.riskType", "properties.riskEventType", "properties.riskState", "properties.riskDetail", "properties.source", "properties.detectionTimingType" "properties.detectedDateTime", "properties.lastUpdatedDateTime", "properties.tokenIssuerType", "properties.homeTenantId", "properties.userType", "properties.crossTenantAccessType", "durationMs" to "additional.fields". - Mapped "resourceId" to "target.resource.product_object_id". - Mapped "properties.location.geoCoordinates.longitude" and "location.geoCoordinates.longitude" to "principal.location.region_coordinates.longitude". - Mapped "properties.location.geoCoordinates.latitude" and "location.geoCoordinates.latitude" to "principal.location.region_coordinates.latitude". |
2023-07-12 | Enhancement:
- Mapped "deviceDetail.isCompliant", "deviceDetail.isManaged", "deviceDetail.trustType" to "principal.asset.attribute.labels". - Mapped "deviceDetail.deviceId" to "principal.asset.asset_id". - Mapped "deviceDetail.browser" to "network.http.user_agent". - Mapped "deviceDetail.operatingSystem" to "principal.platform_version". - Mapped "status.failureReason" to "additional.fields". - Mapped "status.errorCode" to "security_result.rule_id". - Mapped "deviceDetail.displayName" to "principal.asset.hardware". |
2023-03-14 | Enhancement:
- Mapped "browser" to "principal.resource.attribute.labels". - Mapped "isCompliant", "isManaged", "trustType", to "principal.asset.attribute.labels". - Mapped "domain" form "userPrincipalName" to "principal.administrative_domain". |
2022-12-16 | Enhancement:
- Added conditional check for the field 'initiatedBy.user.userPrincipalName' and mapped to 'principal.user.email_addresses'. |
2022-10-28 | Enhancement:
- Mapped "additionalDetails.0.value" to "network.http.user_agent". - Mapped "additionalDetails.1.value" to "target.resource.attribute.labels". - Mapped "Id" to "metadata.product_log_id". - Mapped "initiatedBy.user.id" to "principal.user.userid". - Mapped "initiatedBy.user.displayName" to "principal.user.user_display_name". - Mapped "initiatedBy.user.ipAddress" to "principal.ip". - Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses". - Mapped "operationType" to "security_result.action_details". - Mapped "target.displayName" to "target.resource.name". - Mapped "target.id" to "target.resource.id". - Mapped "target.type" to "target.resource.type". - Mapped "field.newValue" to "target.resource.product_object_id" if field.displayName is "AppRole.Id" else mapped "field.newValue" to "target.resource.attribute.labels". - Added check for errorCode. - Mapped "loggedByService" to "target.application". - Mapped "activityDisplayName" to "metadata.product_event_type". - Mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS" where "activityDisplayName" is "Add app role assignment to service principal". |
2022-08-25 | Enhancement:
- If "properties.initiatedBy.user.userPrincipalName" matches "email regex pattern" then mapped to "principal.user.email_addresses" else mapped to "principal.user.userid". - If "properties.userPrincipalName" or "userPrincipalName" matches "email regex pattern" then mapped to "target.user.email_addresses" else mapped to "target.user.userid". |
2022-08-11 | Enhancement:
- Removed drop tag "TAG_MALFORMED_ENCODING". - Added "event_type" "GENERIC_EVENT". |
2022-05-29 | Enhancement - Modified the for loop for the field 'riskEventTypes_v2' mapped to 'additional.fields'.
Mapped the field 'level' to 'security_result.severity_details'. Mapped the field 'properties.result' to 'security_result.action_details'. |
2022-04-20 | Bug-fix - Parsed the logs with event "appDisplayName": "NotApplicable".
- Modified the for loop for the field 'riskEventTypes'. |