Change log for WINEVTLOG

Date Changes
2024-10-18 - Added support for well known SID names for Windows event 4627.
2024-10-04 - Added support for field "Keywords" log field.
2024-09-27 - Handled the newline characters ('\n') by replacing them with commas (',') in the 'PrivilegeList' log field for the logs forwarded using the Bind Plane agent.
- Updated event validation for windows event 4104.
- Added support for the field "HandleId" in event 4662.
2024-09-20 - Added support for field "ServiceType" and "StartType" in event 7045.
2024-09-18 - Added support for field "EventData.ErroCode" in event 5035 and 5037.
- Updated the mapping of the fields "Client Address" and "Client Port" for Windows event IDs 4768, 4770, and 4771.
- Updated event validation for "USER_LOGIN" UDM event.
- Added support for "PreAuthType" log field for XML format logs.
2024-09-17 - Updated mapping of "Workstation" log field to "principal.hostname" for windows event 4776.
- Added support of "TdoType", "TdoDirection", "TdoAttributes", "SidFilteringEnabled" log fields for EventID: 4706, 4716
- Added support of "DomainSid" log field for EventID: 4706, 4707, 4716, 4865, 4867, 4866.
- Added support of "ForestRoot", "ForestRootSid", "OperationId", "EntryType", "Flags", "TopLevelName", "DnsName", "NetbiosName", "SubjectLogonId" log fields for EventID: 4865, 4866, 4867.
2024-09-13 - Added support for the raw log field "Param1", "Param2" and "Param3" for the EventID: 1149 and "User" and "Address" for the EventID: 21.
2024-08-30 - Added support for raw log field "ProcessId" and "ProcessName" for windows event 4689.
- Udpdate logic for "MemberName" field and Updated mapping for "MemberSid" and "TargetDomainName" field for events 4728, 4729, 4732, 4733, 4756, 4757.
2024-08-16 - Added support of field `TargetSid` for windows event 4704.
2024-08-09 - Added support for the raw log field "ObjectDN" for the event 5137, 5141.
- Added support for Windows Powershell events 400.
- Update the mapping of HostApplication and HostName for Windows Powershell events 403.
- Added support for "message" fields and update the mapping of HostApplication for Windows Powershell events 800.
- Added support for "message" fields and update the mapping of HostApplication for Windows Powershell events 4103.
- Added support for "message" fields and update the mapping of ScriptBlockText for Windows Powershell events 4104.
2024-08-09 - Added support for the raw log field "ObjectDN" for the event 5137, 5141.
- Added support for Windows Powershell events 400.
- Update the mapping of HostApplication and HostName for Windows Powershell events 403.
- Added support for "message" fields and update the mapping of HostApplication for Windows Powershell events 800.
- Added support for "message" fields and update the mapping of HostApplication for Windows Powershell events 4103.
- Added support for "message" fields and update the mapping of ScriptBlockText for Windows Powershell events 4104.
2024-07-11 - Extracted the UserId from the Task Content raw log field and mapped with the additional.fields of the UDM model.
- Added support for the raw log field "winlog.event_data.AccessMask" for the event 5145.
- Added support for the fields under the raw log field "winlog.user_data".
- Added support for the raw log field "host.ip" for the event 4625.
- Added support for the raw log field "MemberName" for the event 4728, 4729, 4732, 4733, 4756, 4757.
- Added support for the raw log field "EventData.PreviousTim" and "EventData.NewTime" for the event 4616.
- Added support for the raw log field "TargetSid" for the event 4704.
- Added support for the event id 33205 with source name MSSQL$SSDB01$AUDIT.
2024-06-14 - Added support for unparsed logs for event 1102.
2024-06-12 - Added support for Windows event 1116 for sourcename "Microsoft-Windows-Windows Defender".
- Added support for new Grok for event 4698.
- Added support for raw log field "winlog.user.name", "winlog.user.domain", and "message".
2024-06-05 - Added support for "RunLevel" and "GroupId" field for windows event ID 4698.
- Added mapping for "Messasge" raw log field for the event 15457.
2024-05-08 - Added support of elements inside of "winlog.event_data.param1" field.
2024-05-01 - Added support for "Data/ScriptBlockText" field.
- Added support for "ObjectClass" field for event id "5139".
2024-04-24 - Handled the "metadata.event_type" UDM mapping for EventIDs 530, 531, 532, 533, 534, 535, 536, 537, and 539, similar to EventID 4625.
- Updated the mapping for "workstation" raw log field.
- Added the mapping for the EventID 1149.
- Added support of string and integer value types for "LogonType" field.
2024-03-27 - Extracted the username, port, and IP address from the Message raw log field for EventID: 2889.
- Mapped "PasswordLastSet" raw log field with "target.user.last_password_change_time" UDM field for EventID: 4738.
- Changed mapping of "RuleName" and "RuleId" raw log field for Event ID: 4945, 4947 and 4948.
2024-03-13 - Added additional mappings for "noun.labels" deprecated fields.
- Update mapping for EventID 4769.
- Add support for "event_data" object fields.
- Add mapping of "target.application" UDM field for 11707 event.
2024-02-29 - Added support for additional JSON format logs.
2024-02-28 - Added mapping of field "winlog.event_data.payload" for EventID: 4103.
- Added mapping of fields "TemplateVersion", "TemplateSchemaVersion", "TemplateOID", "TemplateDSObjectFQDN", "DCDNSName", "TemplateContent", and "SecurityDescriptor" for EventID: 4898.
- Added mapping of field "RelativeTargetName" for EventID: 5145.
2024-02-14 - Added mapping of field "TargetLogonId".
- Added mapping of field "PeerName", "ProtocolSequence" and "SecurityError" for EventID: 4816.
2024-01-31 - Added mapping of field "NewObjectDN" for EventID: 5139.
2024-01-17 - Bug fix
2024-01-16 Enhancement:
- When "EventID" is 4732 then a Grok pattern is added to extract "name" from "MemberName" and is mapped to "principal.user.user_display_name" .
2024-01-04 - Added support for the additional fields for "EventID": 4886, 4887.
2023-11-29 - Added a Grok pattern to extract data from "Message" log field for EventID: 1535.
- Aligned "principal/target.hostname" and "principal/target.asset.hostname" mapping.
2023-11-29 - Added a Grok pattern to extract data from "Message" log field for EventID: 1535.
- Aligned "principal/target.hostname" and "principal/target.asset.hostname" mapping.
2023-11-01 - For EventID: 4778, changed the following mappings:
"Hostname" raw log field to "target.hostname".
"Clientname" raw log field to "principal.hostname".
"ClientAddress" raw log field to "principal.ip".
2023-10-18 - Added mapping of fields "Version", "Level", "Task", "Opcode", "Keywords", "ThreadID", and "PackageName" for EventID: 4776.
- Parsed unsupported Event IDs to set "metadata.event_type" to either "GENERIC_EVENT" or "STATUS_UPDATE".
2023-10-04 - Mapped "Workstation" field to the "principal.asset_id" UDM field.
- Removed mapping sheet link from WINEVTLOG parser code.
2023-09-20 - Added about.labels with key as "creator_process_exe" and "new_process_exe" for EventID: 4688
2023-09-06 - Parsed "OU", "CN", "DC" fields from the message field for "EventID 4728".
- Copied value of "principal.hostname" to "principal.asset.hostname" if the "principal.asset.hostname" is remaining empty in the parser.
- Added support for new EventID: 40962, 53504, 40961 of SourceName "Microsoft-Windows-PowerShell".
2023-08-23 - Added mapping of fields "AccessMask" and "ObjectType" for EventID: 4656.
- Added support for new EventID: 852, 17137, 49930 of SourceName "MSSQLSERVER".
2023-08-09 - Added support for new EventID: 2006, 2001, 216, 2003, 2005, 637, 327 of SourceName "ESENT".
- Added support for new EventID: 202, 103, 119, 141, 106, 108, 110, 118, 142 of SourceName "Microsoft-Windows-TaskScheduler".
- Added 'convert' filter to handle the parsing for EventID: 4690 of SourceName "Microsoft-Windows-Security-Auditing"
- Added support for new EventID: 17063 of SourceName "MSSQLSERVER".
2023-07-26 - Added support for new EventID: 105 of SourceName "ESENT".
- Added support for new EventID: 4440 of SourceName "Microsoft-Windows-Complus".
- Added support for new EventID: 8200, 1004, 1014, 8197, 20482, 1033, 1013, 1067, 12304, 1036, 20489, 20481, 1025, 12305, 12311, 20488 of SourceName "Microsoft-Windows-Security-SPP".
- Added support for new EventID: 1281 of SourceName "Microsoft-Windows-TPM-WMI".
- Added support for new EventID: 63 of SourceName "Microsoft-Windows-WMI".
- Added support for new EventID: 1025, 11724, 1005, 1038, 1029 of SourceName "MsiInstaller".
- Added support for new EventID: 7030 of SourceName "Service Control Manager".
2023-07-12 Resolved validation error for event "SYSTEM_AUDIT_LOG_WIPE".
2023-06-28 - Added support for new EventID: 4105 of SourceName "Microsoft-Windows-PowerShell".
- Added support for new EventID: 403 of SourceName "PowerShell".
2023-06-14 Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent".
2023-05-31 - Added mapping of field "URI" and "Command" for EventID: 4698.
- Added mapping of "AccessMask" for EventID: 4663.
- Added mapping of "Message" and "ScriptBlockText" log fields for Event Id: 4104.
- Mapped "Opcode" with "about.labels".
- Changed mapping for "WorkstationName" log field.
- Added support for new EventID: 5447 of SourceName "Microsoft Corporation".
- Added a Grok pattern to extract data from "Message" log field for EventID: 4776, 4624, 4672, 4697, 7045.
2023-05-02 1. Added support for new EventID: 8 of SourceName "WSH".
2. Added mapping of field "param2" for EventID: 7036.
3. Added support for new ADFS Event IDs: 1200,1201,1202,1203,1204,1205,1206,1207.
2023-04-12 1. Added support for new EventIDs 3005 and 3006 of SourceName LogRhythm Agent.
2. Changed mapping of fields "Hostname", "WorkstationName", "ClientName" and "Workstation".
2023-03-29 1. For "Event ID 7036", when value is "stopped" in field "param2", changed "security_result.action" from "BLOCK" to "ALLOW".
2. Handled mapping of invalid hostname. Mapped it to "principal.labels" if validation fails.
2023-03-01 Added support for new format of cloud storage logs.
2023-02-15 1. Added support for new EventID: 325 of SourceName Microsoft-Windows-TaskScheduler.
2. Added Support for new EventID: 0 (SourceName: edgeupdate).
3. Added support for new EventID: 8 (SourceName: CylanceSvc).
4. Added mapping for TokenElevationType, MandatoryLabel for EventID: 4688.
2023-02-01 1. Added support for IT (Italian) and DE (German) language for parsing EventID 1102
2022-11-23 1. Handled properties field coming in message field for EventID: 4662.
2022-11-09 1. Changed EventType Mapping for EventId: 4776 of Microsoft-Windows-Security-Auditing.
2022-08-26 1. Changed EventType Mapping for EventId: 7036 of Service Control Manager.
2022-08-12 1. Added support for new EventID: 8010, 8017 of SourceName Microsoft-Windows-DNS-Client.
2. Added support for new EventID: 5857, 5858, 5859, 5860 of SourceName Microsoft-Windows-WMI-Activity.
3. For field PossibleCause, added on_error tag for handling replace failure error.
4. If target.hostname is empty then we have mapped DnsHostName with target.hostname UDM field otherwise we have mapped DnsHostName with target.asset.attribute.labels.key/value.
2022-08-01 1) Added support for new EventID:8021, 8022, 8025 of SourceName Microsoft-Windows-AppLocker.
2) Added mapping for FilePath,FileHash,Fqbn for EventID 8003, 8004, 8006, 8007.
3) Added mapping of Message field for EventID 1100.
4) Removed target_user_id due to dupliucation issue with target_group_display_name for EventID 4728,4732.
5) Added support for new EventID: 105, 6, 7 of SourceName WudfUsbccidDriver
6) Added support for new EventID: 12 of SourceName Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
7) Added support for new EventID: 11 of SourceName Microsoft-Windows-Wininit
8) Added support for new EventID: 1068 of SourceName Microsoft-Windows-GroupPolicy
2022-07-11 1) Added support of new EventID:195, 196 of SourceName Microsoft-Windows-USB-USBHUB3.
2) Added support of new EventID:10001, 10002, 10100 of SourceName Microsoft-Windows-DriverFrameworks-UserMode.
3) Added support of new EventID:1014, 8015, 8018, 8019, 8020, 8027, 8033 of SourceName Microsoft-Windows-DNS-Client.
4) Removed user.role_name and user.role_description, Replaced with user.attribute.roles.name and user.attribute.roles.description
5) Added support for new EventID:2,19 of SourceName Microsoft-Windows-WHEA-Logger.
6) Added support for new EventID:20 of SourceName Microsoft-Windows-Kernel-General.
7) Added support for new EventID:22 of SourceName Microsoft-Windows-UserModePowerService.
8) Added support for new EventID:1000,1001 of SourceName Microsoft-Windows-LoadPerf.
9) Added support for new EventID:132, 142 of SourceName Microsoft-Windows-WinRM.
10) Added support for new EventID:4100 of SourceName Microsoft-Windows-PowerShell.
11) Added support for new EventID:24, 130 of SourceName Microsoft-Windows-Time-Service.
12) Added support for new EventID:10317 of SourceName Microsoft-Windows-NDIS.
13) Added support for new EventID:14205 of SourceName Microsoft-Windows-WMPNSS-Service
14) Added support for new EventID:16963, 16966 of SourceName Microsoft-Windows-Directory-Services-SAM.
11) Added support for new EventID:14, 15, 24 of SourceName TPM.
12) Added support for new EventID:4, 59, 61, 16385, 16392 of SourceName Microsoft-Windows-Bits-Client.
13) Removed Generic_Event usage from WINEVTLOG parser
14) Added mapping of Message field for EventID 104.
2022-07-04 1) Added FR language support for EventID 1102.
2022-06-17 1) Added support of new EventID:145 of SourceName Microsoft-Windows-WinRM.
2) Added mapping of Category GUIDs for EventID 4719.
3) Mapped AccountName and Domain by splitting Data_1 field for EventID 8222.
2022-06-07 1) Added support of new eventID:77 of Provider name: Microsoft-Windows-CertificationAuthority.
2) Added gsub and modified the grok pattern to avoid incorrect mapping of key 'MemberName' mapped to UDM field 'target.user.user_display_name'.
2022-05-24 1) Action set to ALLOW for error code equal to 0x0 for EventID 4776.
2) Added mapping for AuthenticationPackageName for EventID 4624, 4625.
3) Added support for EventID 400 for provider name PowerShell .
4) Added mapping for ScriptBlockID in EventID 4104.
5) Updated mapping of DeviceName for EventID 98, 140 from principal.hostname to target.resource_name.
6) Added support for EventID 3, 60, 100, 187, 1096, 1127, 8000, 8003, 8004, 8006, 8007, 8021, 8024, 10000, 10004, 10111, 14204.
7) Added security_result.severity for EventID 10110.
8) Added ServiceFileName mapping for EventID 7045.
9) Mapped Computer field with intermediary.hostname.
10) Mappedd UserAccountControl for EventID 4738.
11) Added mapping for TargetOutboundUserName in EventID 4624.
2022-05-10 1) Enhanced WINEVTLOG parser by adding support of WINDOWS 11 and WINDOWS SERVER 2022 events.
2) Added support of new events: 1202, 102, 11, 10, 18, 1000, 1027, 1025, 10110, 1026, 1282, 1130, 10118, 1, 4000, 4101, 4001, 400.
3) For 5137 & 5141, mapped SubjectLogonId with principal.labels.key/value.
4) Mapped Computer field with intermediary.hostname.
5) For 4719, mapped the value of AuditPolicyChanges with about.labels.key/value.
6) For 5141, mapped ObjectClass field with target.labels.key/value.
7) Action set to ALLOW for error codes equal to 0x0.
8) Added mapping of TargetOutboundUserName in EventID 4624.
9) Added raw value of AccessList in target.resource.attribute.permissions.name.
10) For 4698, 4699 and 4702, mapped task_command with principal.process.file.full_path and task_arguments with principal.process.command_line.
2022-04-27 Promoted parser from test to new global default.
2022-04-22 1) Added EventID 1202 (Provider name: SceCli) and Event ID 102 (Provider Name: Microsoft-Windows-TaskScheduler).
2022-04-21 1) For every event mapped Message field for Microsoft-Windows-Security-Auditing.
2) For EventID 5137 mapped ObjectClass, ObjectDN.
3) For EventID 5136 mapped AttributeValue.
4) For EventID 4769 mapped TicketOptions, TicketEncryptionType.
5) For EventID 4662 mapped ObjectType
6) For EventID 4625 mapped FailureReason
7) For EventID 4742 mapped SubjectLogonId
8) Mapped Computer as intermediary.hostname.
2022-03-30 1) Added mapping of `Channel` field for all the Event IDs.
2) For EventID `5861` and SourceName `Microsoft-Windows-WMI-Activity`, changed mapping of `Channel` field from `security_result.summary` to `about.labels.key/value`.
3) Added mapping of Task field for Event ID 4702.
4) Extracted Event Description from Message field for Event ID 4767.
5) Added gsub to handle "·" present in Message field for Event ID 4719.
6) Added mapping of DSName and DSType field for Event ID 5137 & 5141.
7) Added mapping of ObjectClass field for Event ID 5141.
8) Added mapping of OriginalVolume(Data_9), ShadowDeviceName(Data_8) and ProcessName(Data_3) field for Event ID 8222.
9) Added mapping of OriginalVolume(Data_8) and ShadowDeviceName(Data_7) field for Event ID 8223.
2022-03-29 1) Added mapping of TargetLogonId field for Event ID 4624.
2) Added mapping of ServiceSid field for Event ID 4769.
3) Added mapping of NewObjectDN and OldObjectDN fields for Event ID 5139.
4) Added mapping of DnsHostName field for Event ID 4741.
5) Added mapping for SubjectLogonId field.
6 )Mapped actual hostname from FQDN name in Event ID 4768.