Change log for MICROSOFT_SQL
Date | Changes |
---|---|
2023-12-20 | Enhancement -
- Decoded the encoded log using gsub. - Mapped "host.ip" to "principal.ip". - Added a Grok pattern to map additional fields. - Mapped "error" to "security_result.detection_fields". - Mapped "err_msg" to "security_result.description". |
2023-10-09 | Enhancement -
- Added a Grok pattern to support the new log formats. - Mapped "SQlINstance" to "principal.hostname" when user information is not available. |
2023-08-17 | Enhancement -
- Provided a check that "event_type" is "STATUS_STARTUP" or "STATUS_SHUTDOWN" if the field "host" is not null. |
2023-07-04 | Bug-Fix -
- Changed "event_type" from "USER_LOGIN" to "USER_UNCATEGORIZED" and from "STATUS_UNCATEFORIZED" to "GENERIC_EVENT" for some logs since fields like "clientip" or "host" are not present. - Initialised "Date" and "Time" to null and provided null check before mapping. - Mapped "AgentDevice", "AgentLogFile", "Source", "ProcessInfo" to "additional.fields". - Mapped "SQlINstance" to "intermediary.hostname". |
2023-05-09 | Enhancement -
- Added JSON block to retrieve JSON data. - Mapped "source" to "principal.resource.attribute.labels". - Mapped "msg" to "metadata.description". |
2023-01-18 | Enhancement - Added null conditional check for the following fields: 'agent.type', 'agent.id', 'agent.hostname', 'agent.version', 'event.provider', 'event.code', 'log.level', 'ecs.version', 'timestamp'.
- Mapped the field 'EventID' to 'metadata.product_event_type'. - Mapped the field 'SourceModuleType' to 'observer.application'. - Mapped the field 'SourceModuleName' to 'additional.fields'. - Mapped the field 'Severity' to 'security_result.severity'. - Added following mapping when the event is 'Audit Event': - Mapped the field 'client_ip' to 'principal.ip'. - Mapped the field 'database_name' to 'target.resource_ancestors.name' and 'target.resource_ancestors.resource_type' mapped as 'DATABASE'. - Mapped the field 'schema_name' to 'target.resource_ancestors.resource_subtype'. - Mapped the field 'statement' to 'target.process.command_line'. - Mapped the field 'object_name' to 'target.resource.name' and 'target.resource.resource_type' mapped as 'TABLE'. - Mapped the field 'application_name' to 'target.application'. - Mapped the field 'sequence_number' to 'target.resource.attribute.labels'. - Mapped the field 'transaction_id' to 'target.resource.attribute.labels'. - Added following mapping when the field 'Message' contains 'Log was backed up': - Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'. - Mapped the field 'first LSN' to 'target.resource.attribute.labels'. - Mapped the field 'last LSN' to 'target.resource.attribute.labels'. - Mapped the field 'UserID' to 'principal.user.windows_sid'. - Added following mapping when the field 'Message' contains 'Starting up database': - Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'. - Mapped the field 'AccountName' to 'principal.user.userid'. - Mapped the field 'UserID' to 'principal.user.windows_sid'. |
2022-08-09 | Enhancement - Modified mapping for the field 'winlog.computer_name' from 'principal.asset.hostname' to 'event.idm.read_only_udm.about.hostname' for logs with JSON format.
|
2022-07-01 | Bug-fix - Mapped "host.name" to "observer.hostname" for logs with JSON format.
|
2022-05-31 | Enhancement - Parsed the new JSON format logs and the logs containing the key-value fields. Also, parsed the syslog logs having 'NXLOG'.
Moved customer-specific version to default. Mapped the following new fields : For JSON format logs : winlog.computer_name, agent.type, agent.version, agent.id, agent.hostname, ecs.version, log.level, event.provider, event.code, host.name, logstash.process.host, message, timestamp. For key-value format logs : TextData, HostName, ApplicationName, LoginName, ObjectName, ObjectType, DatabaseID,DatabaseName, SPID, SourceModuleName, SourceModuleType. |