Change log for MICROSOFT_SQL
Date | Changes |
---|---|
2024-11-28 | Bug-Fix:
- When "action_id" is "LGIF", then mapped "security_result.action" to "BLOCK". |
2024-10-29 | Enhancement:
- Added support for a new pattern of SYSLOG + JSON logs. |
2024-10-22 | Enhancement:
- Mapped "event_time" to "metadata.event_timestamp". |
2024-10-08 | Enhancement:
- Mapped "additional_information" to "additional.fields". |
2024-09-05 | Enhancement:
- Added support for SYSLOG + JSON logs. |
2024-09-04 | Enhancement:
- Added support to parse KV data in "EventData" field. |
2024-08-26 | Enhancement:
- Added support for a new pattern of KV logs. |
2024-07-23 | Enhancement:
- Added support for a new pattern of JSON logs. |
2024-06-18 | Enhancement:
- Added support to parse key-value data in the "MESSAGE" field. |
2024-05-17 | Enhancement:
- Added support to parse logs when "operationName" is "Microsoft Graph Activity". - Mapped "level" to "security_result.severity". - Mapped "resourceId" to "target.resource.attribute.labels". - Mapped "operationName" to "metadata.product_event_type". - Mapped "operationVersion" to "additional.fields". - Mapped "properties.ipAddress" to "principal.ip" and "principal.asset.ip". - Mapped "properties.apiVersion" to "metadata.product_version". - Mapped "properties.appId" to "target.resource.product_object_id". - Mapped "properties.clientAuthMethod" to "extensions.auth.auth_details". - Mapped "properties.clientRequestId" to "additional.fields". - Mapped "properties.signInActivityId" to "network.session_id". - Mapped "properties.identityProvider" to "security_result.detection_fields". - Mapped "properties.wids" to "security_result.detection_fields". - Mapped "properties.roles" to "security_result.detection_fields". - Mapped "correlationId" to "security_result.detection_fields". - Mapped "properties.tokenIssuedAt" to "additional.fields". - Mapped "properties.requestMethod" to "network.http.method". - Mapped "properties.responseStatusCode" to "network.http.response_code". - Mapped "properties.tenantId" to "metadata.product_deployment_id". - Mapped "properties.userAgent" to "network.http.user_agent". - Mapped "properties.requestUri" to "target.url". - Mapped "properties.durationMs" to "network.session_duration.seconds". - Mapped "properties.responseSizeBytes" to "network.received_bytes". - Mapped "properties.userId" and "properties.servicePrincipalId" to "principal.user.userid". - Mapped "properties.location" to "principal.location.name". - Mapped "properties.requestId" to "metadata.product_log_id". - Mapped "properties.operationId" to "security_result.detection_fields". |
2024-04-01 | Enhancement:
- Added a Grok pattern to parse unparsed SYSLOG + JSON logs. - Mapped "hostinfo.architecture" to "principal.asset.hardware". - Mapped "hostinfo.os.kernel" to "principal.platform_patch_level". - Mapped "hostinfo.os.version" to "principal.platform_version". - Mapped "hostinfo.os.platform" to "hostinfo.os.platform". - Mapped "hostinfo.os.name" and "hostinfo.os.build" to "additional.fields". |
2023-12-20 | Enhancement -
- Decoded the encoded log using gsub. - Mapped "host.ip" to "principal.ip". - Added a Grok pattern to map additional fields. - Mapped "error" to "security_result.detection_fields". - Mapped "err_msg" to "security_result.description". |
2023-10-09 | Enhancement -
- Added a Grok pattern to support the new log formats. - Mapped "SQlINstance" to "principal.hostname" when user information is not available. |
2023-08-17 | Enhancement -
- Provided a check that "event_type" is "STATUS_STARTUP" or "STATUS_SHUTDOWN" if the field "host" is not null. |
2023-07-04 | Bug-Fix -
- Changed "event_type" from "USER_LOGIN" to "USER_UNCATEGORIZED" and from "STATUS_UNCATEFORIZED" to "GENERIC_EVENT" for some logs since fields like "clientip" or "host" are not present. - Initialised "Date" and "Time" to null and provided null check before mapping. - Mapped "AgentDevice", "AgentLogFile", "Source", "ProcessInfo" to "additional.fields". - Mapped "SQlINstance" to "intermediary.hostname". |
2023-05-09 | Enhancement -
- Added JSON block to retrieve JSON data. - Mapped "source" to "principal.resource.attribute.labels". - Mapped "msg" to "metadata.description". |
2023-01-18 | Enhancement - Added null conditional check for the following fields: 'agent.type', 'agent.id', 'agent.hostname', 'agent.version', 'event.provider', 'event.code', 'log.level', 'ecs.version', 'timestamp'.
- Mapped the field 'EventID' to 'metadata.product_event_type'. - Mapped the field 'SourceModuleType' to 'observer.application'. - Mapped the field 'SourceModuleName' to 'additional.fields'. - Mapped the field 'Severity' to 'security_result.severity'. - Added following mapping when the event is 'Audit Event': - Mapped the field 'client_ip' to 'principal.ip'. - Mapped the field 'database_name' to 'target.resource_ancestors.name' and 'target.resource_ancestors.resource_type' mapped as 'DATABASE'. - Mapped the field 'schema_name' to 'target.resource_ancestors.resource_subtype'. - Mapped the field 'statement' to 'target.process.command_line'. - Mapped the field 'object_name' to 'target.resource.name' and 'target.resource.resource_type' mapped as 'TABLE'. - Mapped the field 'application_name' to 'target.application'. - Mapped the field 'sequence_number' to 'target.resource.attribute.labels'. - Mapped the field 'transaction_id' to 'target.resource.attribute.labels'. - Added following mapping when the field 'Message' contains 'Log was backed up': - Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'. - Mapped the field 'first LSN' to 'target.resource.attribute.labels'. - Mapped the field 'last LSN' to 'target.resource.attribute.labels'. - Mapped the field 'UserID' to 'principal.user.windows_sid'. - Added following mapping when the field 'Message' contains 'Starting up database': - Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'. - Mapped the field 'AccountName' to 'principal.user.userid'. - Mapped the field 'UserID' to 'principal.user.windows_sid'. |
2022-08-09 | Enhancement - Modified mapping for the field 'winlog.computer_name' from 'principal.asset.hostname' to 'event.idm.read_only_udm.about.hostname' for logs with JSON format.
|
2022-07-01 | Bug-fix - Mapped "host.name" to "observer.hostname" for logs with JSON format.
|
2022-05-31 | Enhancement - Parsed the new JSON format logs and the logs containing the key-value fields. Also, parsed the syslog logs having 'NXLOG'.
Moved customer-specific version to default. Mapped the following new fields : For JSON format logs : winlog.computer_name, agent.type, agent.version, agent.id, agent.hostname, ecs.version, log.level, event.provider, event.code, host.name, logstash.process.host, message, timestamp. For key-value format logs : TextData, HostName, ApplicationName, LoginName, ObjectName, ObjectType, DatabaseID,DatabaseName, SPID, SourceModuleName, SourceModuleType. |