Change log for MICROSOFT_SQL

Date Changes
2024-11-28 Bug-Fix:
- When "action_id" is "LGIF", then mapped "security_result.action" to "BLOCK".
2024-10-29 Enhancement:
- Added support for a new pattern of SYSLOG + JSON logs.
2024-10-22 Enhancement:
- Mapped "event_time" to "metadata.event_timestamp".
2024-10-08 Enhancement:
- Mapped "additional_information" to "additional.fields".
2024-09-05 Enhancement:
- Added support for SYSLOG + JSON logs.
2024-09-04 Enhancement:
- Added support to parse KV data in "EventData" field.
2024-08-26 Enhancement:
- Added support for a new pattern of KV logs.
2024-07-23 Enhancement:
- Added support for a new pattern of JSON logs.
2024-06-18 Enhancement:
- Added support to parse key-value data in the "MESSAGE" field.
2024-05-17 Enhancement:
- Added support to parse logs when "operationName" is "Microsoft Graph Activity".
- Mapped "level" to "security_result.severity".
- Mapped "resourceId" to "target.resource.attribute.labels".
- Mapped "operationName" to "metadata.product_event_type".
- Mapped "operationVersion" to "additional.fields".
- Mapped "properties.ipAddress" to "principal.ip" and "principal.asset.ip".
- Mapped "properties.apiVersion" to "metadata.product_version".
- Mapped "properties.appId" to "target.resource.product_object_id".
- Mapped "properties.clientAuthMethod" to "extensions.auth.auth_details".
- Mapped "properties.clientRequestId" to "additional.fields".
- Mapped "properties.signInActivityId" to "network.session_id".
- Mapped "properties.identityProvider" to "security_result.detection_fields".
- Mapped "properties.wids" to "security_result.detection_fields".
- Mapped "properties.roles" to "security_result.detection_fields".
- Mapped "correlationId" to "security_result.detection_fields".
- Mapped "properties.tokenIssuedAt" to "additional.fields".
- Mapped "properties.requestMethod" to "network.http.method".
- Mapped "properties.responseStatusCode" to "network.http.response_code".
- Mapped "properties.tenantId" to "metadata.product_deployment_id".
- Mapped "properties.userAgent" to "network.http.user_agent".
- Mapped "properties.requestUri" to "target.url".
- Mapped "properties.durationMs" to "network.session_duration.seconds".
- Mapped "properties.responseSizeBytes" to "network.received_bytes".
- Mapped "properties.userId" and "properties.servicePrincipalId" to "principal.user.userid".
- Mapped "properties.location" to "principal.location.name".
- Mapped "properties.requestId" to "metadata.product_log_id".
- Mapped "properties.operationId" to "security_result.detection_fields".
2024-04-01 Enhancement:
- Added a Grok pattern to parse unparsed SYSLOG + JSON logs.
- Mapped "hostinfo.architecture" to "principal.asset.hardware".
- Mapped "hostinfo.os.kernel" to "principal.platform_patch_level".
- Mapped "hostinfo.os.version" to "principal.platform_version".
- Mapped "hostinfo.os.platform" to "hostinfo.os.platform".
- Mapped "hostinfo.os.name" and "hostinfo.os.build" to "additional.fields".
2023-12-20 Enhancement -
- Decoded the encoded log using gsub.
- Mapped "host.ip" to "principal.ip".
- Added a Grok pattern to map additional fields.
- Mapped "error" to "security_result.detection_fields".
- Mapped "err_msg" to "security_result.description".
2023-10-09 Enhancement -
- Added a Grok pattern to support the new log formats.
- Mapped "SQlINstance" to "principal.hostname" when user information is not available.
2023-08-17 Enhancement -
- Provided a check that "event_type" is "STATUS_STARTUP" or "STATUS_SHUTDOWN" if the field "host" is not null.
2023-07-04 Bug-Fix -
- Changed "event_type" from "USER_LOGIN" to "USER_UNCATEGORIZED" and from "STATUS_UNCATEFORIZED" to "GENERIC_EVENT" for some logs since fields like "clientip" or "host" are not present.
- Initialised "Date" and "Time" to null and provided null check before mapping.
- Mapped "AgentDevice", "AgentLogFile", "Source", "ProcessInfo" to "additional.fields".
- Mapped "SQlINstance" to "intermediary.hostname".
2023-05-09 Enhancement -
- Added JSON block to retrieve JSON data.
- Mapped "source" to "principal.resource.attribute.labels".
- Mapped "msg" to "metadata.description".
2023-01-18 Enhancement - Added null conditional check for the following fields: 'agent.type', 'agent.id', 'agent.hostname', 'agent.version', 'event.provider', 'event.code', 'log.level', 'ecs.version', 'timestamp'.
- Mapped the field 'EventID' to 'metadata.product_event_type'.
- Mapped the field 'SourceModuleType' to 'observer.application'.
- Mapped the field 'SourceModuleName' to 'additional.fields'.
- Mapped the field 'Severity' to 'security_result.severity'.
- Added following mapping when the event is 'Audit Event':
- Mapped the field 'client_ip' to 'principal.ip'.
- Mapped the field 'database_name' to 'target.resource_ancestors.name' and 'target.resource_ancestors.resource_type' mapped as 'DATABASE'.
- Mapped the field 'schema_name' to 'target.resource_ancestors.resource_subtype'.
- Mapped the field 'statement' to 'target.process.command_line'.
- Mapped the field 'object_name' to 'target.resource.name' and 'target.resource.resource_type' mapped as 'TABLE'.
- Mapped the field 'application_name' to 'target.application'.
- Mapped the field 'sequence_number' to 'target.resource.attribute.labels'.
- Mapped the field 'transaction_id' to 'target.resource.attribute.labels'.
- Added following mapping when the field 'Message' contains 'Log was backed up':
- Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'.
- Mapped the field 'first LSN' to 'target.resource.attribute.labels'.
- Mapped the field 'last LSN' to 'target.resource.attribute.labels'.
- Mapped the field 'UserID' to 'principal.user.windows_sid'.
- Added following mapping when the field 'Message' contains 'Starting up database':
- Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'.
- Mapped the field 'AccountName' to 'principal.user.userid'.
- Mapped the field 'UserID' to 'principal.user.windows_sid'.
2022-08-09 Enhancement - Modified mapping for the field 'winlog.computer_name' from 'principal.asset.hostname' to 'event.idm.read_only_udm.about.hostname' for logs with JSON format.
2022-07-01 Bug-fix - Mapped "host.name" to "observer.hostname" for logs with JSON format.
2022-05-31 Enhancement - Parsed the new JSON format logs and the logs containing the key-value fields. Also, parsed the syslog logs having 'NXLOG'.
Moved customer-specific version to default.
Mapped the following new fields :
For JSON format logs :
winlog.computer_name, agent.type, agent.version, agent.id, agent.hostname, ecs.version, log.level, event.provider, event.code, host.name, logstash.process.host, message, timestamp.
For key-value format logs :
TextData, HostName, ApplicationName, LoginName, ObjectName, ObjectType, DatabaseID,DatabaseName, SPID, SourceModuleName, SourceModuleType.