Change log for POWERSHELL

Date Changes
2024-11-28 Enhancement:
- Added support for new pattern of SYSLOG logs.
2024-08-20 Enhancement:
- Added "gsub" to remove extra characters to parse JSON logs.
2024-08-14 Enhancement:
- Mapped "Version" to "metadata.product_version".
- Mapped "SystemTime" to "metadata.event_timestamp".
- Mapped "channel", "keywords", "MessageNumber", "MessageTotal", and "ScriptBlockId" to "security_result.detection_fields".
- Mapped "Path" to "target.process.file.full_path".
2024-07-24 Enhancement:
- Added support for a new pattern of JSON logs.
2024-07-20 Enhancement:
- Mapped "HostApplication" to "principal.application".
- Mapped "HostId" to "principal.resource.product_object_id".
- Mapped "System.Computer" to "principal.hostname" and "principal.asset.hostname".
- Mapped "System.Version" to "metadata.product_version".
- Mapped "System.ProcessID" to "principal.process.pid".
- Mapped "System.ProviderName" to "principal.resource.attribute.labels".
- Mapped "HostVersion", "RunspaceId", "PipelineId", "EngineVersion", "DetailSequence", "DetailTotal", "SequenceNumber", and "ScriptName" to "additional.fields".
- Mapped "System.EventRecordID", "System.Task", "System.Keywords", "System.Opcode", and "System.ThreadID" to "security.detection_fields".
2023-12-05 Enhancement:
- Added mapping for unparsed JSON logs.
- Mapped "Computer" to "principal.hostname".
- Mapped "EventLevelName" to "security_result.severity".
- Mapped "ManagementGroupName", "Source", "TenantId" to "additional_fields".
- Mapped "RenderedDescription" to "security_result.description".
- Mapped "UserName" to "principal.user.userid".
2023-09-14 Enhancement:
- Added mappings for unparsed JSON logs.
- Mapped 'winlog.activity_id' to 'security_result.detection_fields'.
- Mapped 'winlog.api' to 'additional.fields'.
- Mapped 'winlog.channel', 'winlog.process.thread.id' to 'security_result.about.resource.attribute.labels'.
- Mapped 'winlog.computer_name' to 'principal.hostname'.
- Mapped 'winlog.event_id' to 'metadata.product_event_type' and 'security_result.rule_name'.
- Mapped 'winlog.opcode' to 'metadata.description'.
- Mapped 'winlog.process.pid' to 'principal.process.pid'.
- Mapped 'winlog.provider_guid' to 'metadata.product_deployment_id'.
- Mapped 'winlog.provider_name' to 'metadata.product_name'.
- Mapped 'winlog.record_id' to 'metadata.product_log_id'.
- Mapped 'winlog.user.domain' to 'principal.administrative_domain'.
- Mapped 'winlog.user.identifier' to 'principal.user.windows_sid'.
- Mapped 'winlog.user.name' to 'principal.user.userid'.
2023-07-05 Enhancement:
- For 'EventID = 403', mapped 'metadata.event_type' to 'STATUS_UPDATE' when the value for 'HostApplication' is not present.
- Extracted the value for 'target.file.full_path' from the log using a Grok pattern when 'Path' is empty.
- Added gsub function to rename '@timestamp' to 'EventTime'.
2022-11-09 Enhancement:
- The field 'ProviderGuid' is mapped to 'metadata.product_deployment_id'.
- The field 'ExecutionProcessID' is mapped to 'principal.process.pid'.
- The field 'ProcessID' or 'Process ID' is mapped to 'principal.process.pid'.
- The field 'SourceModuleType' is mapped to 'principal.resource.resource_subtype'.
- The field 'SourceModuleName' is mapped to 'principal.resource.name'.
- The field 'Machine' is mapped to 'principal.asset.asset_id'.
- The field 'MessageSourceAddress' is mapped to 'principal.ip'.
- The field 'File' is mapped to 'target.process.file.full_path'.
- The field 'Host Application' or 'Command' is mapped to 'target.process.command_line'.
- The field 'Output' is mapped to 'security_result.detection_fields'.
- The field 'Message' is mapped to 'security_result.description'.
- The field 'ActivityID' is mapped to 'security_result.detection_fields'.
- Added following mapping when EventID is '4103'
- The field 'Host ID' or 'ContextInfo_Host ID' is mapped to 'target.asset.asset_id'.
- The field 'Host Name' or 'ContextInfo_Host Name' is mapped to 'target.hostname'.
- The field 'ContextInfo_Script Name' is mapped to 'target.process.file.full_path'.
- The field 'ContextInfo_Host Application' is mapped to 'target.process.command_line'.
- The field 'ContextInfo_Command Name' is mapped to 'security_result.detection_fields'.
- The field 'ContextInfo_Command Type' is mapped to 'security_result.detection_fields'.
- The field 'ContextInfo_Sequence Number' or 'Sequence Number' is mapped to 'security_result.detection_fields'.
- Added following mapping when EventID is '800', '600' or '400'
- The field 'UserId' is mapped to 'principal.user.userid'.
- The field 'HostApplication' is mapped to 'target.process.command_line'.
- The field 'HostId' is mapped to 'target.asset.asset_id'.
- The field 'HostName' is mapped to 'target.hostname'.
- The field 'ScriptName' is mapped to 'target.process.file.full_path'.
- The field 'SequenceNumber' is mapped to 'security_result.detection_fields'.
2022-10-13 Bug-Fix:
- Parsed failed logs by making the following changes.
- Added "on_error" checks on fields that failed parsing in case of no values. Fields like 'opcode', 'Host Application'.
- Added new source,'ContextInfo' for KV parsing when 'Message' is not present in the logs.
Enhancement:
- Modified event_type from "GENERIC_EVENT" to "STATUS_UPDATE".