Change log for AZURE_RESOURCE_LOGS
Date | Changes |
---|---|
2024-10-29 | Enhancement:
- If "resource_type" is "MANAGEDCLUSTERS", then set "target.resource.type" to "CLUSTER". - If "resource_type" is "MANAGEDINSTANCES", then set "target.resource.type" to "VIRTUAL_MACHINE". - If "resource_type" is "DATABASEACCOUNTS", then set "target.resource.type" to "DATABASE". |
2024-10-17 | Enhancement:
- Mapped "count", "total", "minimum", "ApiName", "Authentication", "ScaleUnit", "pod", and "containerID" to "security_result.detection_fields". - Mapped "Region" to "principal.location.name". - Mapped "processId" to "principal.process.pid". - Mapped "action" to "security_result.action_details". |
2024-08-29 | Enhancement:
- Added support for new pattern of JSON logs. |
2024-07-24 | Enhancement:
- Mapped "Role.DisplayName", "Role.TemplateId" to "security_result.detection_fields". - Initialized "authenticationStepResultDetail" to parse unparsed logs. |
2024-05-10 | Bug-Fix:
- Changed mapping of "conditionalAccessStatus" from "security_result.about.labels" to "security_result.about.resource.attribute.labels". |
2024-03-13 | Enhancement:
- Mapped additional fields for "AADNonInteractiveUserSignInLogs", "AADManagedIdentitySignInLogs", "AADProvisioningLogs", and "AADServicePrincipalSignInLogs". - Mapped "properties.correlationId" to "security_result.detection_fields". |
2023-12-11 | Enhancement:
- Mapped "properties.requestId", "properties.riskEventType", "properties.tokenIssuerType" and "properties.keyIds" to "target.resource.attribute.labels". - Mapped "properties.detectionTimingType" to "additional.fields". - Mapped "properties.appliedConditionalAccessPolicies" to "about.labels". - Mapped "properties.authenticationProcessingDetails" to "security_result.detection_fields". - Mapped "properties.additionalInfo.userAgent" to "network.http.user_agent". - Mapped "properties.additionalInfo.alertUrl" to "target.url". |
2023-10-04 | Bug-Fix:
- When the JSON filter fails, added 'on_error' for the JSON filter and dropped the log with tag 'TAG_MALFORMED_MESSAGE'. - When there is no error in 'CONVERT' filter which converts to integer for 'properties.ScStatus','properties.statusCode','statusCode','record.properties.ScStatus', and 'record.properties.statusCode', then mapped to 'network.http.response_code'. - Added a condition for 'responseStatus.code' and 'record.responseStatus.code'. When 'on_error' for 'CONVERT' is not true, then mapped to 'network.http.response_code'. |
2023-09-04 | Enhancement:
-Mapped the following fields under "properties.additionalDetails": - Mapped value as 'metadata.product_deployment_id' where key is 'TenantId'. - Mapped value as 'security_result.rule_id' where key is 'PolicyId'. - Mapped value as 'network.http.user_agent' where key is 'Client'. - Mapped value as 'principal.user.email_addresses' where key is 'LocalAccountUsername'. - Mapped value as 'principal.administrative_domain' where key is 'DomainName'. - Mapped 'properties.targetResources.userPrincipalName' to 'target.user.email_addresses'. - Mapped 'properties.initiatedBy.app.appId' to 'target.resource.attribute.labels'. |
2023-08-04 | Enhancement:
- Mapped "properties.initiatedBy.user.userPrincipalName" to "principal.user.userid". |
2023-07-10 | Enhancement:
- Initialized "UnderlayClass","record.UnderlayClass","UnderlayName","record.UnderlayName" fields and checked for null. |
2022-11-18 | Enhancement:
- "security_result.action" is BLOCK by default added condition to avoid that only if 'properties.succeeded' is 'false','statusText' is 'fail/false','resultType' is 'fail/failed' then security_result.action is "BLOCK". |
2022-11-11 | Bug-Fix - Added null check for "properties.log.annotations.authorization".
- Added on_error statement for "properties.log.annotations.authorization.k8s.io/decision", "properties.log.annotations.authorization.k8s.io/reason". |
2022-10-20 | Bug-fix
- Added a condition when resultType is "success" security_results.action should be ALLOW instead of BLOCK by default. - Mapped event_type to "USER_LOGIN" and extensions.auth.type to "AUTH_UNSPECIFIED" when operationName is "Sign-in Activity". - Mapped "callerIpAddress" to "principal.ip" when "properties.ipAddress" is empty. - Mapped eventy_type to "USER_RESOURCE_ACCESS" when "callerIpAddress" is not empty and "target.resource" is not empty. |
2022-10-03 | Enhancement - Mapped following fields :
- mapped "statusCode" to "network.http.response_code". - mapped "correlationId" to "security_result.detection_fields". - mapped "properties.userAgentHeader" to "network.http.user_agent". - mapped "properties.accountName" to "principal.user.userid". - mapped "properties.objectKey" to "target.resource.attribute.labels". - mapped "properties.clientRequestId" to "target.resource.attribute.labels". - mapped "properties.responseMd5" to "target.resource.attribute.labels". - mapped "properties.tlsVersion" to "network.tls.version". - mapped "uri" to "network.http.referral_url". - mapped "protocol" to "network.application_protocol". - mapped "resourceType" to "target.resource.type". - mapped "statusText" to "security_result.summary". |
2022-08-11 | Bug-fix
- remapped "properties.deviceDetail.displayName" to "principal.asset.hardware.model". |
2022-07-18 | Enhancement - Mapped following fields :
- mapped "properties.activity" to "metadata.description". - mapped "properties.riskType" to "event.idm.read_only_udm.additional.fields". - mapped "properties.riskLevelDuringSignIn" to "event.idm.read_only_udm.additional.fields". - mapped "properties.riskLevelAggregated" to "event.idm.read_only_udm.additional.fields". - mapped "properties.originalRequestId" to "event.idm.read_only_udm.additional.fields". - mapped "Level","tenantId" to "event.idm.read_only_udm.additional.fields". - mapped "properties.conditionalAccessStatus" to "security_result.about.labels". - mapped "properties.userType" to "target.user.attribute.labels". - mapped "properties.provisioningSteps.0.details.city" to "principal.location.city". - mapped "properties.provisioningSteps.0.details.country" to "principal.location.country_or_region". - mapped "properties.sourceSystem.Id" to "principal.resource.product_object_id". - mapped "properties.sourceIdentity.details.id" to "principal.user.product_object_id". - mapped "properties.sourceSystem.Name" to "principal.resource.name". - mapped "properties.accountEnabled","properties.isProcessing","properties.isGuest","properties.isDeleted" to "event.idm.read_only_udm.additional.fields". - mapped "properties.authenticationRequirement", "properties.status.errorCode", "properties.statusInfo.Status" to "event.idm.read_only_udm.additional.fields". - mapped "properties.sourceIdentity.details.odatatype", "properties.provisioningSteps.0.details.appRoleAssignments" to "principal.user.attribute.labels". - mapped "properties.sourceIdentity.details.UserPrincipalName", "properties.ServicePrincipalId" to "principal.user.userid". - mapped "properties.source","correlationId", "properties.activityDateTime", "properties.detectedDateTime","properties.lastUpdatedDateTime" to "security_result.detection_fields". - mapped "properties.sourceIdentity.details.DisplayName", "properties.ServicePrincipalDisplayName", "properties.servicePrincipalName" to "principal.user.user_display_name". - mapped "properties.servicePrincipalType", "properties.servicePrincipalCredentialKeyId" to "principal.resource.attribute.labels". - mapped "properties.deviceDetail.isCompliant", "properties.deviceDetail.isManaged" to "principal.asset.attribute.labels". |
2022-06-26 | Parsed logs having "category" value as "UserRiskEvents" , "RiskyUsers" , "RiskyServicePrincipals" , "ServicePrincipalSignInLogs" , "NonInteractiveUserSignInLogs" , "ProvisioningLogs" , "ADFSSignInLogs".
- mapped "properties.ipAddress" to "principal.ip". - mapped "properties.id" to "metadata.product_log_id". - mapped "properties.displayName" to "target.application". - mapped "properties.location.city" to "principal.location.city". - mapped "properties.location.state" to "principal.location.state". - mapped "properties.userDisplayName" to "target.user.user_display_name". - mapped "properties.userId" to "target.user.product_object_id". - mapped "properties.appId" to "target.resource.attribute.labels". - mapped "properties.resourceDisplayName" to "target.resource.name". - mapped "properties.resourceId" to "target.resource.product_object_id". - mapped "properties.deviceDetail.operatingSystem" to "principal.platform_version". - mapped "properties.deviceDetail.browser" to "network.http.user_agent". - mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id". - mapped "properties.deviceDetail.displayName" to "principal.asset.hostname". - mapped "properties.sourceIdentity.details.id" to "principal.user.product_object_id". - mapped "properties.location.countryOrRegion" to "principal.location.country_or_region". - mapped "properties.location.geoCoordinates.latitude" to "principal.location.region_latitude". - mapped "properties.location.geoCoordinates.longitude" to "principal.location.region_longitude". - mapped "properties.sourceIdentity.details.DisplayName" to "principal.user.user_display_name". - mapped "properties.authenticationDetails.0.authenticationMethodDetail" to "security_result.about.labels". - mapped "properties.riskLevel", "properties.riskState", "properties.riskDetail" to "event.idm.read_only_udm.additional.fields". - If value of "properties.authenticationDetails.0.authenticationMethod" is "Password", then mapped "extensions.auth.mechanism" to "USERNAME_PASSWORD". - If value of "properties.userPrincipalName" is in email format then mapped it to "target.user.userid" and "target.user.email_addresses" , else mapped it only to "target.user.userid". - If value of "properties.sourceIdentity.details.UserPrincipalName" is in email format then mapped it to "principal.user.userid" and "principal.user.email_addresses" , else mapped it only to "principal.user.userid". For category "NonInteractiveUserSignInLogs" : - mapped "properties.deviceDetail.trustType" to "event.idm.read_only_udm.additional.fields". - mapped "properties.clientAppUsed" to "principal.application". For category "UserRiskEvents" : - If value of "properties.additionalInfo.Key" is "userAgent", then mapped "properties.additionalInfo.Value" to "network.http.user_agent". |
2022-05-31 | Newly created parser
|