Change log for POWERSHELL
| Date | Changes |
|---|---|
| 2023-09-14 | Enhancement:
- Added mappings for unparsed JSON logs. - Mapped 'winlog.activity_id' to 'security_result.detection_fields'. - Mapped 'winlog.api' to 'additional.fields'. - Mapped 'winlog.channel', 'winlog.process.thread.id' to 'security_result.about.resource.attribute.labels'. - Mapped 'winlog.computer_name' to 'principal.hostname'. - Mapped 'winlog.event_id' to 'metadata.product_event_type' and 'security_result.rule_name'. - Mapped 'winlog.opcode' to 'metadata.description'. - Mapped 'winlog.process.pid' to 'principal.process.pid'. - Mapped 'winlog.provider_guid' to 'metadata.product_deployment_id'. - Mapped 'winlog.provider_name' to 'metadata.product_name'. - Mapped 'winlog.record_id' to 'metadata.product_log_id'. - Mapped 'winlog.user.domain' to 'principal.administrative_domain'. - Mapped 'winlog.user.identifier' to 'principal.user.windows_sid'. - Mapped 'winlog.user.name' to 'principal.user.userid'. |
| 2023-07-05 | Enhancement:
- For 'EventID = 403', mapped 'metadata.event_type' to 'STATUS_UPDATE' when the value for 'HostApplication' is not present. - Extracted the value for 'target.file.full_path' from the log using a Grok pattern when 'Path' is empty. - Added gsub function to rename '@timestamp' to 'EventTime'. |
| 2022-11-09 | Enhancement:
- The field 'ProviderGuid' is mapped to 'metadata.product_deployment_id'. - The field 'ExecutionProcessID' is mapped to 'principal.process.pid'. - The field 'ProcessID' or 'Process ID' is mapped to 'principal.process.pid'. - The field 'SourceModuleType' is mapped to 'principal.resource.resource_subtype'. - The field 'SourceModuleName' is mapped to 'principal.resource.name'. - The field 'Machine' is mapped to 'principal.asset.asset_id'. - The field 'MessageSourceAddress' is mapped to 'principal.ip'. - The field 'File' is mapped to 'target.process.file.full_path'. - The field 'Host Application' or 'Command' is mapped to 'target.process.command_line'. - The field 'Output' is mapped to 'security_result.detection_fields'. - The field 'Message' is mapped to 'security_result.description'. - The field 'ActivityID' is mapped to 'security_result.detection_fields'. - Added following mapping when EventID is '4103' - The field 'Host ID' or 'ContextInfo_Host ID' is mapped to 'target.asset.asset_id'. - The field 'Host Name' or 'ContextInfo_Host Name' is mapped to 'target.hostname'. - The field 'ContextInfo_Script Name' is mapped to 'target.process.file.full_path'. - The field 'ContextInfo_Host Application' is mapped to 'target.process.command_line'. - The field 'ContextInfo_Command Name' is mapped to 'security_result.detection_fields'. - The field 'ContextInfo_Command Type' is mapped to 'security_result.detection_fields'. - The field 'ContextInfo_Sequence Number' or 'Sequence Number' is mapped to 'security_result.detection_fields'. - Added following mapping when EventID is '800', '600' or '400' - The field 'UserId' is mapped to 'principal.user.userid'. - The field 'HostApplication' is mapped to 'target.process.command_line'. - The field 'HostId' is mapped to 'target.asset.asset_id'. - The field 'HostName' is mapped to 'target.hostname'. - The field 'ScriptName' is mapped to 'target.process.file.full_path'. - The field 'SequenceNumber' is mapped to 'security_result.detection_fields'. |
| 2022-10-13 | Bug-Fix:
- Parsed failed logs by making the following changes. - Added "on_error" checks on fields that failed parsing in case of no values. Fields like 'opcode', 'Host Application'. - Added new source,'ContextInfo' for KV parsing when 'Message' is not present in the logs. Enhancement: - Modified event_type from "GENERIC_EVENT" to "STATUS_UPDATE". |