Change log for TANIUM_TH

Date	Changes
2022-03-30	Enhancement to map following raw logs elements to UDM elements: Mapped field "additional.event__TargetSid" and "additional.event__TargetUserSid" to "target.user.windows_sid". Mapped field "additional.event__SubjectUserName" to "principal.user.user_display_name". Mapped field "additional.event__CallerProcessId" and "additional.event__ClientProcessId" to "principal.process.pid". Mapped field "additional.event__CallerProcessName" to "principal.process.file.full_path". Mapped filed "additional.event__FQDN" to "principal.hostname". Mapped field "additional.event__ParentProcessName" to "principal.process.parent_process.file.full_path". Mapped field "additional.event__CommandLine" to "target.process.command_line". Mapped field "additional.event__NewProcessId" to "target.process.pid". Mapped field "additional.event__NewProcessName" to "target.process.file.full_path". Mapped field "additional.event__ParentProcessId" to "principal.process.parent_process.pid". Mapped field "additional.event__ObjectServer" to "security_result.category_details". Mapped field "additional.event__Service" to "security_result.description". Mapped field "additional.event__PrivilegeList" to "principal.user.attribute.permissions". Mapped field "additional.event__TransmittedServices", "additional.event__LmPackageName", "additional.event__TokenElevationType", "additional.event__MandatoryLabel", "additional.event__AlgorithmName", "additional.event__KeyName", "additional.event__KeyType", "additional.event__Operation", "additional.event__ProviderName", "additional.event__ReturnCode", "additional.event__RpcCallClientLocality", "additional.event__ClientProcessStartKey", "additional.event__TaskContentNew", "additional.event__TaskName", "additional.event__Status", "additional.event__FailureReason", "additional.event__SubStatus", "additional.event__KeyLength", "additional.event__RestrictedAdminMode", "additional.event__TargetLinkedLogonId", "additional.event__TargetOutboundUserName", "additional.event__TargetOutboundDomainName" to "additional.fields". Changed mapping for "additional.event__VirtualAccount", "additional.event__ElevatedToken", "additional.event__ImpersonationLevel", "additional.event__TargetLogonId", "additional.event__SubjectLogonId" from "about.labels" to "additional.fields".

Date

Changes

2022-03-30

Enhancement to map following raw logs elements to UDM elements:
Mapped field "additional.event__TargetSid" and "additional.event__TargetUserSid" to "target.user.windows_sid".
Mapped field "additional.event__SubjectUserName" to "principal.user.user_display_name".
Mapped field "additional.event__CallerProcessId" and "additional.event__ClientProcessId" to "principal.process.pid".
Mapped field "additional.event__CallerProcessName" to "principal.process.file.full_path".
Mapped filed "additional.event__FQDN" to "principal.hostname".
Mapped field "additional.event__ParentProcessName" to "principal.process.parent_process.file.full_path".
Mapped field "additional.event__CommandLine" to "target.process.command_line".
Mapped field "additional.event__NewProcessId" to "target.process.pid".
Mapped field "additional.event__NewProcessName" to "target.process.file.full_path".
Mapped field "additional.event__ParentProcessId" to "principal.process.parent_process.pid".
Mapped field "additional.event__ObjectServer" to "security_result.category_details".
Mapped field "additional.event__Service" to "security_result.description".
Mapped field "additional.event__PrivilegeList" to "principal.user.attribute.permissions".
Mapped field "additional.event__TransmittedServices", "additional.event__LmPackageName", "additional.event__TokenElevationType", "additional.event__MandatoryLabel", "additional.event__AlgorithmName", "additional.event__KeyName", "additional.event__KeyType", "additional.event__Operation", "additional.event__ProviderName", "additional.event__ReturnCode", "additional.event__RpcCallClientLocality", "additional.event__ClientProcessStartKey", "additional.event__TaskContentNew", "additional.event__TaskName", "additional.event__Status", "additional.event__FailureReason", "additional.event__SubStatus", "additional.event__KeyLength", "additional.event__RestrictedAdminMode", "additional.event__TargetLinkedLogonId", "additional.event__TargetOutboundUserName", "additional.event__TargetOutboundDomainName" to "additional.fields".
Changed mapping for "additional.event__VirtualAccount", "additional.event__ElevatedToken", "additional.event__ImpersonationLevel", "additional.event__TargetLogonId", "additional.event__SubjectLogonId" from "about.labels" to "additional.fields".