Change log for MICROSOFT_SQL

Date Changes
2023-12-20 Enhancement -
- Decoded the encoded log using gsub.
- Mapped "host.ip" to "principal.ip".
- Added a Grok pattern to map additional fields.
- Mapped "error" to "security_result.detection_fields".
- Mapped "err_msg" to "security_result.description".
2023-10-09 Enhancement -
- Added a Grok pattern to support the new log formats.
- Mapped "SQlINstance" to "principal.hostname" when user information is not available.
2023-08-17 Enhancement -
- Provided a check that "event_type" is "STATUS_STARTUP" or "STATUS_SHUTDOWN" if the field "host" is not null.
2023-07-04 Bug-Fix -
- Changed "event_type" from "USER_LOGIN" to "USER_UNCATEGORIZED" and from "STATUS_UNCATEFORIZED" to "GENERIC_EVENT" for some logs since fields like "clientip" or "host" are not present.
- Initialised "Date" and "Time" to null and provided null check before mapping.
- Mapped "AgentDevice", "AgentLogFile", "Source", "ProcessInfo" to "additional.fields".
- Mapped "SQlINstance" to "intermediary.hostname".
2023-05-09 Enhancement -
- Added JSON block to retrieve JSON data.
- Mapped "source" to "principal.resource.attribute.labels".
- Mapped "msg" to "metadata.description".
2023-01-18 Enhancement - Added null conditional check for the following fields: 'agent.type', 'agent.id', 'agent.hostname', 'agent.version', 'event.provider', 'event.code', 'log.level', 'ecs.version', 'timestamp'.
- Mapped the field 'EventID' to 'metadata.product_event_type'.
- Mapped the field 'SourceModuleType' to 'observer.application'.
- Mapped the field 'SourceModuleName' to 'additional.fields'.
- Mapped the field 'Severity' to 'security_result.severity'.
- Added following mapping when the event is 'Audit Event':
- Mapped the field 'client_ip' to 'principal.ip'.
- Mapped the field 'database_name' to 'target.resource_ancestors.name' and 'target.resource_ancestors.resource_type' mapped as 'DATABASE'.
- Mapped the field 'schema_name' to 'target.resource_ancestors.resource_subtype'.
- Mapped the field 'statement' to 'target.process.command_line'.
- Mapped the field 'object_name' to 'target.resource.name' and 'target.resource.resource_type' mapped as 'TABLE'.
- Mapped the field 'application_name' to 'target.application'.
- Mapped the field 'sequence_number' to 'target.resource.attribute.labels'.
- Mapped the field 'transaction_id' to 'target.resource.attribute.labels'.
- Added following mapping when the field 'Message' contains 'Log was backed up':
- Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'.
- Mapped the field 'first LSN' to 'target.resource.attribute.labels'.
- Mapped the field 'last LSN' to 'target.resource.attribute.labels'.
- Mapped the field 'UserID' to 'principal.user.windows_sid'.
- Added following mapping when the field 'Message' contains 'Starting up database':
- Mapped the field 'Database' to 'target.resource.name' and 'target.resource.resource_type' as 'DATABASE'.
- Mapped the field 'AccountName' to 'principal.user.userid'.
- Mapped the field 'UserID' to 'principal.user.windows_sid'.
2022-08-09 Enhancement - Modified mapping for the field 'winlog.computer_name' from 'principal.asset.hostname' to 'event.idm.read_only_udm.about.hostname' for logs with JSON format.
2022-07-01 Bug-fix - Mapped "host.name" to "observer.hostname" for logs with JSON format.
2022-05-31 Enhancement - Parsed the new JSON format logs and the logs containing the key-value fields. Also, parsed the syslog logs having 'NXLOG'.
Moved customer-specific version to default.
Mapped the following new fields :
For JSON format logs :
winlog.computer_name, agent.type, agent.version, agent.id, agent.hostname, ecs.version, log.level, event.provider, event.code, host.name, logstash.process.host, message, timestamp.
For key-value format logs :
TextData, HostName, ApplicationName, LoginName, ObjectName, ObjectType, DatabaseID,DatabaseName, SPID, SourceModuleName, SourceModuleType.