Change log for IIS
| Date | Changes |
|---|---|
| 2024-02-18 | Enhancement:
- Modified Grok pattern field names to map the value correctly. - Modified name from "intermediary_devicename" to "observer_devicename". - Modified name from "src_ip" to "observer_ip". - Modified name from "dst_ip" to "principal_or_intermediary_ip". - Modified name from "xff_ips" to "principal_xff_ips". - Mapped "observer_ip" to "observer.ip". - Mapped "observer_devicename" to "observer.hostname". - Mapped "principal_xff_ips" to "principal.ip". - If "principal_xff_ips" is present, then mapped "principal_or_intermediary_ip" to "intermediary.ip". - If "principal_xff_ips" is not present, then mapped "principal_or_intermediary_ip" to "principal.ip". |
| 2024-02-12 | Enhancement:
- Added new Grok patterns to support the network logs with kv data. - Mapped "sc-substatus" to "additional.fields". |
| 2024-01-09 | Enhancement:
- Added new Grok patterns to support the network logs with key-value data. - Mapped "dst_ip2" to "target.ip". - Mapped "X-BackEndCookie","exchangecookie", "OutlookSession", "MapiContext", "MapiRouting", "content_type" and "MapiSequence" to "additional.fields". |
| 2023-12-19 | Enhancement:
- Mapped "Configuration" as a value to "metadata.product_event_type" if "EventType" is equal to "VERBOSE". - Mapped "Message" to "security_result.description". - Mapped "PhysicalPath" to "target.file.full_path". - Mapped "OldValue", "NewValue", "Configuration" and "ConfigPath" to "additional.fields". |
| 2023-12-06 | Enhancement:
- Mapped "@timestamp" to "metadata.event_timestamp". - Mapped "host.hostname" to "target.hostname". - Mapped "logstash.process.host" to "intermediary.hostname". - Mapped "logstash.collect.host" to "observer.hostname". - Mapped "_user" to "principal.user.userid". - Mapped "http_response" to "network.http.response_code". - Mapped "referer" to "network.http.referral_url". - Mapped "syslog_severity" to "security_result.severity_details". - Mapped "message" to "security_result.description". - When "_request_url" is "/login.aspx" and "_entity" is "AutoLogout=1", then set "metadata.event_type" to "USER_LOGOUT". - When "_request_url" is "/login.aspx", then set "metadata.event_type" to "USER_LOGIN". |
| 2023-10-27 | Enhancement:
- Mapped "Noun.hostname" and "Noun.asset.hostname" to the same value. - Mapped "cIP" to "target.ip". - Mapped "csUriStem" to ""target.url". - Mapped "sPort" to "principal.port". - Mapped "csUserAgent" to "http.user_agent". - Mapped "sIP" to "principal.ip". - Mapped "csMethod" to "network.http.method". - Mapped "scStatus" to "http.response_code". - Mapped "sComputerName" to "target.hostname". - Mapped "_resourceId" to "target.resource.id". - Mapped "scBytes" to "network.sent_bytes". - Mapped "csBytes" to "network.received_bytes". - Mapped "sSiteName", "TenantId", "EventProcessedUtcTime", "ManagementGroupName", and "EventEnqueuedUtcTime" to "additional.fields". - Mapped "TimeGenerated" to "about.resource.attribute.labels". - Mapped "SourceSystem" to "security_result.detection_fields". |
| 2023-06-23 | Bug-Fix - Change in log Format
- Defined the grok for the changed log pattern - Mapped cs-host to principal.application - Mapped uristem & cs-uri-stem using if-else to target.url - Mapped cs-version to network.tls.version_protocol - Replaced the value of severity with the value in the field Level - Replaced the value of sitename with s-sitename - Replaced the value of UserSid with UserID - Mapped AgentDevice as label key and value - Mapped "app_name" to principal.application - Mapped "ChannelID" to security_result.about.resource.attribute - Mapped "Level" to security_result.severity - Mapped "ExecutionProcessID" to principal.process.pid - Mapped "ExecutionThreadID" to principal.process.product_specific_process_id - Mapped "Domain" to principal.user.userid - Mapped "UserID" to principal.user.windows_sid - Mapped "AccountType" to principal.user.role_name |
| 2023-05-12 | Enhancement - Parsed failing JSON logs
- Mapped "cshost" to "principal.hostname" - Mapped "csusername" to "principal.user.user_display_name". - Mapped "sip" to "target.ip". - Mapped "uristem" to "target.url". - Mapped "sport" to "target.port". - Mapped "csversion" to "network.tls.version_protocol". - Mapped "csuseragent" to "network.http.user_agent". - Mapped "csip" to "principal.ip". - Mapped "xforwardedfor" to "principal.ip". - Mapped "csmethod" to "network.http.method". - Mapped "csreferer" to "network.http.referral_url". - Mapped "scstatus" to "network.http.response_code". - Mapped "computername" to "target.asset.hostname". - Mapped "scbyte" to "network.sent_bytes". - Mapped "csbyte" to "network.received_bytes". - Mapped "date" and "time" to "metadata.event_timestamp". |
| 2023-03-01 | Enhancement- Added support for JSON format logs having keys like: `c-*`, `s-*`, `cs-*`, `sc-*`.
|
| 2022-10-25 | Enhancement:
- Extracted "uri_query","intermediary_device_name","principal_username","sent_bytes","received_bytes" from log. - Changed "dst_port" to "src_port". - Mapped "src_port" to "principal.port". - Updated "target.url" mapping to "request_url"+?+"uri_query". - Mapped "token_data" to "security_result.detection_fields" as "Cookie". - Mapped "sent_bytes" to "network.sent_bytes". - Mapped "received_bytes" to "network.received_bytes". - Mapped "intermediary_devicename" to "target.hostname" if "target_host" is empty, else mapped it to "intermediary.hostname". - Mapped "principal_username" to "principal.user.userid". - Mapped "Devicename" to "target.hostname" only when "target_host" is empty. - Mapped "src_ip" to "principal.ip" if "xff_ips" is empty. - If "xff_ips" is not empty: Mapped "src_ip" to "intermediary.ip". Mapped "xff_ips" to "principal.ip". - Added a Grok pattern for additional logs types. |
| 2022-10-01 | Enhancement -
- Wrote grok to parse unparse syslogs". - Mapped "Severity" to "security_result.severity". - Mapped "UserName" to "target.user.userid". - Mapped "UserSid" to "target.user.windows_sid". - Mapped "ProviderKey" to "security_result.about.resource.attribute.labels". - Mapped "LayerKey" to "security_result.about.resource.attribute.labels". - Mapped "LayerName" to "security_result.about.resource.attribute.labels". - Mapped "LayerId" to "security_result.about.resource.attribute.labels". - Mapped "Weight" to "security_result.about.resource.attribute.labels". - Mapped "Conditions" to "security_result.about.resource.attribute.labels". - Mapped "Action" to "security_result.about.resource.attribute.labels". - Mapped "CalloutKey" to "security_result.about.resource.attribute.labels". - Mapped "CalloutName" to "security_result.about.resource.attribute.labels". - Mapped "Channel" to "security_result.about.resource.attribute.labels". - Mapped "FilterId" to "security_result.about.resource.attribute.labels". - Mapped "FilterKey" to "security_result.about.resource.attribute.labels". - Mapped "FilterName" to "security_result.about.resource.attribute.labels". - Mapped "FilterType" to "security_result.about.resource.attribute.labels". - Mapped "ProviderGuid" to "security_result.about.resource.attribute.labels". - Mapped "ProviderName" to "security_result.about.resource.attribute.labels". - Mapped "SourceName" to "security_result.about.resource.attribute.labels". - Mapped "SyslogSeverity" to "security_result.about.resource.attribute.labels". - Mapped "Category" to "security_result.category_details". - Mapped "EventType" to "metadata.product_event_type". - Mapped "EventID" to "metadata.product_log_id". - Mapped "ProcessID" to "principal.process.pid". - Mapped "SourceModuleName" to "target.resource.name". - Mapped "SourceModuleType" to "observer.application". |
| 2022-09-30 | Enhancement - Mapped xff header IPs to intermediary.ip.
- Mapped hostname to target.hostname. - Added extra grok pattern to correctly parse certain logs with extra information and Mapped that extra information in additional fields. - Mapped ASP.NET_Session_id to network.session_id. |
| 2022-03-30 | Enhancement-Parse additional fields.
|