Change log for MICROSOFT_DEFENDER_IDENTITY
| Date | Changes |
|---|---|
| 2024-10-14 | Enhancement:
- Mapped "device_event_class_id" to "security_result.rule_name". - Mapped "event_name" to "security_result.description". - Mapped "app" and "alert_id" to "additional.fields". - Mapped "externalId" to "metadata.product_log_id". |
| 2024-09-12 | Enhancement:
- Added support for array-type logs. |
| 2024-08-09 | Enhancement
- Added support to parse syslog logs. |
| 2024-06-25 | Enhancement
- Added support to parse unparsed logs. - If "properties.AdditionalFields.TARGET_OBJECT.USER" is absent, mapped "properties.AccountName" to "target.user.userid". - If "properties.AccountName" and "properties.AdditionalFields.PRINCIPAL_OBJECT.USER" are absent, mapped "properties.AccountDisplayName" to "principal.user.userid". - Mapped "properties.Location" to "principal.location.country_or_region". - Mapped "properties.AccountObjectId" to "principal.user.attribute.labels". |
| 2024-04-15 | Enhancement
- Added support to map "DestinationComputerObjectGuid", "DestinationComputerOperatingSystem", "DestinationComputerOperatingSystemVersion", "TO.DEVICE" fields, when the value of these fields is a list instead of a string. |
| 2022-07-27 | Enhancement
-Mapped "metadata.event_type" to "REGISTRY_MODIFICATION" where "properties.ActionType" is not null. -Mapped "metadata.event_type" to "REGISTRY_DELETION" where "properties.ActionType" is "RegistryValueDeleted". -Mapped "metadata.event_type" to "REGISTRY_CREATION" where "properties.ActionType" is "RegistryValueCreated". -Mapped "properties.InitiatingProcessFolderPath" to "process.file.full_path". -Mapped "about.labels" to "properties.InitiatingProcessIntegrityLevel". -Mapped "properties.DeviceId" to "principal.asset_id". -Mapped "properties.InitiatingProcessTokenElevation" to "about.labels". -Mapped "properties.InitiatingProcessParentFileName" to "principal.process.parent_process.file.full_path". -Mapped "properties.InitiatingProcessMD5" to "principal.process.file.md5". -Mapped "properties.InitiatingProcessSHA256" to "principal.process.file.sha256". -Mapped "properties.InitiatingProcessSHA1" to "principal.process.file.sha1". -Mapped "properties.InitiatingProcessId" to "principal.process.pid". -Mapped "properties.InitiatingProcessCommandLine" to "principal.process.command_line". -Mapped "properties.InitiatingProcessAccountSid" to "principal.user.windows_sid". -Mapped "properties.InitiatingProcessAccountDomain" to "principal.administrative_domain". -Mapped "properties.RegistryKey" to "target.registry.registry_key". -Mapped "properties.RegistryValueName" to "target.registry.registry_value_name". -Mapped "properties.RegistryValueData" to "target.registry.registry_value_data". -Mapped "properties.PreviousRegistryKey" to "src.registry.registry_key". -Mapped "properties.PreviousRegistryValueName" to "src.registry.registry_value_name". -Mapped "properties.PreviousRegistryValueData" to "src.registry.registry_value_data". |
| 2022-04-22 | Newly created parser
|