Change log for IIS

Date Changes
2024-06-20 Enhancement:
- Mapped "streamid" to "additional.fields".
2024-06-11 Enhancement:
- Added a Grok pattern to parse unparsed logs.
2024-02-18 Enhancement:
- Modified Grok pattern field names to map the value correctly.
- Modified name from "intermediary_devicename" to "observer_devicename".
- Modified name from "src_ip" to "observer_ip".
- Modified name from "dst_ip" to "principal_or_intermediary_ip".
- Modified name from "xff_ips" to "principal_xff_ips".
- Mapped "observer_ip" to "observer.ip".
- Mapped "observer_devicename" to "observer.hostname".
- Mapped "principal_xff_ips" to "principal.ip".
- If "principal_xff_ips" is present, then mapped "principal_or_intermediary_ip" to "intermediary.ip".
- If "principal_xff_ips" is not present, then mapped "principal_or_intermediary_ip" to "principal.ip".
2024-02-12 Enhancement:
- Added new Grok patterns to support the network logs with kv data.
- Mapped "sc-substatus" to "additional.fields".
2024-01-09 Enhancement:
- Added new Grok patterns to support the network logs with key-value data.
- Mapped "dst_ip2" to "target.ip".
- Mapped "X-BackEndCookie","exchangecookie", "OutlookSession", "MapiContext", "MapiRouting", "content_type" and "MapiSequence" to "additional.fields".
2023-12-19 Enhancement:
- Mapped "Configuration" as a value to "metadata.product_event_type" if "EventType" is equal to "VERBOSE".
- Mapped "Message" to "security_result.description".
- Mapped "PhysicalPath" to "target.file.full_path".
- Mapped "OldValue", "NewValue", "Configuration" and "ConfigPath" to "additional.fields".
2023-12-06 Enhancement:
- Mapped "@timestamp" to "metadata.event_timestamp".
- Mapped "host.hostname" to "target.hostname".
- Mapped "logstash.process.host" to "intermediary.hostname".
- Mapped "logstash.collect.host" to "observer.hostname".
- Mapped "_user" to "principal.user.userid".
- Mapped "http_response" to "network.http.response_code".
- Mapped "referer" to "network.http.referral_url".
- Mapped "syslog_severity" to "security_result.severity_details".
- Mapped "message" to "security_result.description".
- When "_request_url" is "/login.aspx" and "_entity" is "AutoLogout=1", then set "metadata.event_type" to "USER_LOGOUT".
- When "_request_url" is "/login.aspx", then set "metadata.event_type" to "USER_LOGIN".
2023-10-27 Enhancement:
- Mapped "Noun.hostname" and "Noun.asset.hostname" to the same value.
- Mapped "cIP" to "target.ip".
- Mapped "csUriStem" to ""target.url".
- Mapped "sPort" to "principal.port".
- Mapped "csUserAgent" to "http.user_agent".
- Mapped "sIP" to "principal.ip".
- Mapped "csMethod" to "network.http.method".
- Mapped "scStatus" to "http.response_code".
- Mapped "sComputerName" to "target.hostname".
- Mapped "_resourceId" to "target.resource.id".
- Mapped "scBytes" to "network.sent_bytes".
- Mapped "csBytes" to "network.received_bytes".
- Mapped "sSiteName", "TenantId", "EventProcessedUtcTime", "ManagementGroupName", and "EventEnqueuedUtcTime" to "additional.fields".
- Mapped "TimeGenerated" to "about.resource.attribute.labels".
- Mapped "SourceSystem" to "security_result.detection_fields".
2023-06-23 Bug-Fix - Change in log Format
- Defined the grok for the changed log pattern
- Mapped cs-host to principal.application
- Mapped uristem & cs-uri-stem using if-else to target.url
- Mapped cs-version to network.tls.version_protocol
- Replaced the value of severity with the value in the field Level
- Replaced the value of sitename with s-sitename
- Replaced the value of UserSid with UserID
- Mapped AgentDevice as label key and value
- Mapped "app_name" to principal.application
- Mapped "ChannelID" to security_result.about.resource.attribute
- Mapped "Level" to security_result.severity
- Mapped "ExecutionProcessID" to principal.process.pid
- Mapped "ExecutionThreadID" to principal.process.product_specific_process_id
- Mapped "Domain" to principal.user.userid
- Mapped "UserID" to principal.user.windows_sid
- Mapped "AccountType" to principal.user.role_name
2023-05-12 Enhancement - Parsed failing JSON logs
- Mapped "cshost" to "principal.hostname"
- Mapped "csusername" to "principal.user.user_display_name".
- Mapped "sip" to "target.ip".
- Mapped "uristem" to "target.url".
- Mapped "sport" to "target.port".
- Mapped "csversion" to "network.tls.version_protocol".
- Mapped "csuseragent" to "network.http.user_agent".
- Mapped "csip" to "principal.ip".
- Mapped "xforwardedfor" to "principal.ip".
- Mapped "csmethod" to "network.http.method".
- Mapped "csreferer" to "network.http.referral_url".
- Mapped "scstatus" to "network.http.response_code".
- Mapped "computername" to "target.asset.hostname".
- Mapped "scbyte" to "network.sent_bytes".
- Mapped "csbyte" to "network.received_bytes".
- Mapped "date" and "time" to "metadata.event_timestamp".
2023-03-01 Enhancement- Added support for JSON format logs having keys like: `c-*`, `s-*`, `cs-*`, `sc-*`.
2022-10-25 Enhancement:
- Extracted "uri_query","intermediary_device_name","principal_username","sent_bytes","received_bytes" from log.
- Changed "dst_port" to "src_port".
- Mapped "src_port" to "principal.port".
- Updated "target.url" mapping to "request_url"+?+"uri_query".
- Mapped "token_data" to "security_result.detection_fields" as "Cookie".
- Mapped "sent_bytes" to "network.sent_bytes".
- Mapped "received_bytes" to "network.received_bytes".
- Mapped "intermediary_devicename" to "target.hostname" if "target_host" is empty, else mapped it to "intermediary.hostname".
- Mapped "principal_username" to "principal.user.userid".
- Mapped "Devicename" to "target.hostname" only when "target_host" is empty.
- Mapped "src_ip" to "principal.ip" if "xff_ips" is empty.
- If "xff_ips" is not empty:
Mapped "src_ip" to "intermediary.ip".
Mapped "xff_ips" to "principal.ip".
- Added a Grok pattern for additional logs types.
2022-10-01 Enhancement -
- Wrote grok to parse unparse syslogs".
- Mapped "Severity" to "security_result.severity".
- Mapped "UserName" to "target.user.userid".
- Mapped "UserSid" to "target.user.windows_sid".
- Mapped "ProviderKey" to "security_result.about.resource.attribute.labels".
- Mapped "LayerKey" to "security_result.about.resource.attribute.labels".
- Mapped "LayerName" to "security_result.about.resource.attribute.labels".
- Mapped "LayerId" to "security_result.about.resource.attribute.labels".
- Mapped "Weight" to "security_result.about.resource.attribute.labels".
- Mapped "Conditions" to "security_result.about.resource.attribute.labels".
- Mapped "Action" to "security_result.about.resource.attribute.labels".
- Mapped "CalloutKey" to "security_result.about.resource.attribute.labels".
- Mapped "CalloutName" to "security_result.about.resource.attribute.labels".
- Mapped "Channel" to "security_result.about.resource.attribute.labels".
- Mapped "FilterId" to "security_result.about.resource.attribute.labels".
- Mapped "FilterKey" to "security_result.about.resource.attribute.labels".
- Mapped "FilterName" to "security_result.about.resource.attribute.labels".
- Mapped "FilterType" to "security_result.about.resource.attribute.labels".
- Mapped "ProviderGuid" to "security_result.about.resource.attribute.labels".
- Mapped "ProviderName" to "security_result.about.resource.attribute.labels".
- Mapped "SourceName" to "security_result.about.resource.attribute.labels".
- Mapped "SyslogSeverity" to "security_result.about.resource.attribute.labels".
- Mapped "Category" to "security_result.category_details".
- Mapped "EventType" to "metadata.product_event_type".
- Mapped "EventID" to "metadata.product_log_id".
- Mapped "ProcessID" to "principal.process.pid".
- Mapped "SourceModuleName" to "target.resource.name".
- Mapped "SourceModuleType" to "observer.application".
2022-09-30 Enhancement - Mapped xff header IPs to intermediary.ip.
- Mapped hostname to target.hostname.
- Added extra grok pattern to correctly parse certain logs with extra information and Mapped that extra information in additional fields.
- Mapped ASP.NET_Session_id to network.session_id.
2022-03-30 Enhancement-Parse additional fields.