Stay organized with collections Save and categorize content based on your preferences.

Change log for IIS

Date Changes
2022-10-25 Enhancement:
- Extracted "uri_query","intermediary_device_name","principal_username","sent_bytes","received_bytes" from log.
- Changed "dst_port" to "src_port" for anvs customer.
- Mapped "src_port" to "principal.port".
- Updated target.url mapping to "request_url"+?+"uri_query".
- Mapped "token_data" to "security_result.detection_fields" as "Cookie".
- Mapped "sent_bytes" and "received_bytes" to "network.sent_bytes" and "network.received_bytes" respectively.
- Mapped "intermediary_devicename" to "target.hostname" if "target_host" is empty else Mapped it to "intermediary.hostname".
- Mapped "principal_username" to "principal.user.userid".
- "Devicename" is mapped to "target.hostname" only when "target_host" is empty.
- Mapped "src_ip" to "principal.ip" if "xff_ips" is empty.
- Mapped "src_ip" to "intermediary.ip" and "xff_ips" to "principal.ip" if "xff_ips" is not empty.
- Added grok for qaltd customer.
2022-10-01 Enhancement -
- Wrote grok to parse unparse syslogs".
- Mapped "Severity" to "security_result.severity".
- Mapped "UserName" to "target.user.userid".
- Mapped "UserSid" to "target.user.windows_sid".
- Mapped "ProviderKey" to "security_result.about.resource.attribute.labels".
- Mapped "LayerKey" to "security_result.about.resource.attribute.labels".
- Mapped "LayerName" to "security_result.about.resource.attribute.labels".
- Mapped "LayerId" to "security_result.about.resource.attribute.labels".
- Mapped "Weight" to "security_result.about.resource.attribute.labels".
- Mapped "Conditions" to "security_result.about.resource.attribute.labels".
- Mapped "Action" to "security_result.about.resource.attribute.labels".
- Mapped "CalloutKey" to "security_result.about.resource.attribute.labels".
- Mapped "CalloutName" to "security_result.about.resource.attribute.labels".
- Mapped "Channel" to "security_result.about.resource.attribute.labels".
- Mapped "FilterId" to "security_result.about.resource.attribute.labels".
- Mapped "FilterKey" to "security_result.about.resource.attribute.labels".
- Mapped "FilterName" to "security_result.about.resource.attribute.labels".
- Mapped "FilterType" to "security_result.about.resource.attribute.labels".
- Mapped "ProviderGuid" to "security_result.about.resource.attribute.labels".
- Mapped "ProviderName" to "security_result.about.resource.attribute.labels".
- Mapped "SourceName" to "security_result.about.resource.attribute.labels".
- Mapped "SyslogSeverity" to "security_result.about.resource.attribute.labels".
- Mapped "Category" to "security_result.category_details".
- Mapped "EventType" to "metadata.product_event_type".
- Mapped "EventID" to "metadata.product_log_id".
- Mapped "ProcessID" to "principal.process.pid".
- Mapped "SourceModuleName" to "target.resource.name".
- Mapped "SourceModuleType" to "observer.application".
2022-09-30 Enhancement - Mapped xff header IPs to intermediary.ip.
- Mapped hostname to target.hostname.
- Added extra grok pattern to correctly parse certain logs with extra information and Mapped that extra information in additional fields.
- Mapped ASP.NET_Session_id to network.session_id.
2022-03-30 Enhancement-Parse additional fields.