Change log for AZURE_RESOURCE_LOGS
| Date | Changes |
|---|---|
| 2022-07-18 | Enhancement - Mapped following fields :
- mapped "properties.activity" to "metadata.description". - mapped "properties.riskType" to "event.idm.read_only_udm.additional.fields". - mapped "properties.riskLevelDuringSignIn" to "event.idm.read_only_udm.additional.fields". - mapped "properties.riskLevelAggregated" to "event.idm.read_only_udm.additional.fields". - mapped "properties.originalRequestId" to "event.idm.read_only_udm.additional.fields". - mapped "Level","tenantId" to "event.idm.read_only_udm.additional.fields". - mapped "properties.conditionalAccessStatus" to "security_result.about.labels". - mapped "properties.userType" to "target.user.attribute.labels". - mapped "properties.provisioningSteps.0.details.city" to "principal.location.city". - mapped "properties.provisioningSteps.0.details.country" to "principal.location.country_or_region". - mapped "properties.sourceSystem.Id" to "principal.resource.product_object_id". - mapped "properties.sourceIdentity.details.id" to "principal.user.product_object_id". - mapped "properties.sourceSystem.Name" to "principal.resource.name". - mapped "properties.accountEnabled","properties.isProcessing","properties.isGuest","properties.isDeleted" to "event.idm.read_only_udm.additional.fields". - mapped "properties.authenticationRequirement", "properties.status.errorCode", "properties.statusInfo.Status" to "event.idm.read_only_udm.additional.fields". - mapped "properties.sourceIdentity.details.odatatype", "properties.provisioningSteps.0.details.appRoleAssignments" to "principal.user.attribute.labels". - mapped "properties.sourceIdentity.details.UserPrincipalName", "properties.ServicePrincipalId" to "principal.user.userid". - mapped "properties.source","correlationId", "properties.activityDateTime", "properties.detectedDateTime","properties.lastUpdatedDateTime" to "security_result.detection_fields". - mapped "properties.sourceIdentity.details.DisplayName", "properties.ServicePrincipalDisplayName", "properties.servicePrincipalName" to "principal.user.user_display_name". - mapped "properties.servicePrincipalType", "properties.servicePrincipalCredentialKeyId" to "principal.resource.attribute.labels". - mapped "properties.deviceDetail.isCompliant", "properties.deviceDetail.isManaged" to "principal.asset.attribute.labels". |
| 2022-06-26 | Parsed logs having "category" value as "UserRiskEvents" , "RiskyUsers" , "RiskyServicePrincipals" , "ServicePrincipalSignInLogs" , "NonInteractiveUserSignInLogs" , "ProvisioningLogs" , "ADFSSignInLogs".
- mapped "properties.ipAddress" to "principal.ip". - mapped "properties.id" to "metadata.product_log_id". - mapped "properties.displayName" to "target.application". - mapped "properties.location.city" to "principal.location.city". - mapped "properties.location.state" to "principal.location.state". - mapped "properties.userDisplayName" to "target.user.user_display_name". - mapped "properties.userId" to "target.user.product_object_id". - mapped "properties.appId" to "target.resource.attribute.labels". - mapped "properties.resourceDisplayName" to "target.resource.name". - mapped "properties.resourceId" to "target.resource.product_object_id". - mapped "properties.deviceDetail.operatingSystem" to "principal.platform_version". - mapped "properties.deviceDetail.browser" to "network.http.user_agent". - mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id". - mapped "properties.deviceDetail.displayName" to "principal.asset.hostname". - mapped "properties.sourceIdentity.details.id" to "principal.user.product_object_id". - mapped "properties.location.countryOrRegion" to "principal.location.country_or_region". - mapped "properties.location.geoCoordinates.latitude" to "principal.location.region_latitude". - mapped "properties.location.geoCoordinates.longitude" to "principal.location.region_longitude". - mapped "properties.sourceIdentity.details.DisplayName" to "principal.user.user_display_name". - mapped "properties.authenticationDetails.0.authenticationMethodDetail" to "security_result.about.labels". - mapped "properties.riskLevel", "properties.riskState", "properties.riskDetail" to "event.idm.read_only_udm.additional.fields". - If value of "properties.authenticationDetails.0.authenticationMethod" is "Password", then mapped "extensions.auth.mechanism" to "USERNAME_PASSWORD". - If value of "properties.userPrincipalName" is in email format then mapped it to "target.user.userid" and "target.user.email_addresses" , else mapped it only to "target.user.userid". - If value of "properties.sourceIdentity.details.UserPrincipalName" is in email format then mapped it to "principal.user.userid" and "principal.user.email_addresses" , else mapped it only to "principal.user.userid". For category "NonInteractiveUserSignInLogs" : - mapped "properties.deviceDetail.trustType" to "event.idm.read_only_udm.additional.fields". - mapped "properties.clientAppUsed" to "principal.application". For category "UserRiskEvents" : - If value of "properties.additionalInfo.Key" is "userAgent", then mapped "properties.additionalInfo.Value" to "network.http.user_agent". |
| 2022-05-31 | Newly created parser
|