Change log for WINEVTLOG
| Date | Changes |
|---|---|
| 2024-03-13 | - Added additional mappings for "noun.labels" deprecated fields.
- Update mapping for EventID 4769. - Add support for "event_data" object fields. - Add mapping of "target.application" UDM field for 11707 event. |
| 2024-02-29 | - Added support for additional JSON format logs.
|
| 2024-02-28 | - Added mapping of field "winlog.event_data.payload" for EventID: 4103.
- Added mapping of fields "TemplateVersion", "TemplateSchemaVersion", "TemplateOID", "TemplateDSObjectFQDN", "DCDNSName", "TemplateContent", and "SecurityDescriptor" for EventID: 4898. - Added mapping of field "RelativeTargetName" for EventID: 5145. |
| 2024-02-14 | - Added mapping of field "TargetLogonId".
- Added mapping of field "PeerName", "ProtocolSequence" and "SecurityError" for EventID: 4816. |
| 2024-01-31 | - Added mapping of field "NewObjectDN" for EventID: 5139.
|
| 2024-01-17 | - Bug fix
|
| 2024-01-16 | Enhancement:
- When "EventID" is 4732 then a Grok pattern is added to extract "name" from "MemberName" and is mapped to "principal.user.user_display_name" . |
| 2024-01-04 | - Added support for the additional fields for "EventID": 4886, 4887.
|
| 2023-11-29 | - Added a Grok pattern to extract data from "Message" log field for EventID: 1535.
- Aligned "principal/target.hostname" and "principal/target.asset.hostname" mapping. |
| 2023-11-29 | - Added a Grok pattern to extract data from "Message" log field for EventID: 1535.
- Aligned "principal/target.hostname" and "principal/target.asset.hostname" mapping. |
| 2023-11-01 | - For EventID: 4778, changed the following mappings:
"Hostname" raw log field to "target.hostname". "Clientname" raw log field to "principal.hostname". "ClientAddress" raw log field to "principal.ip". |
| 2023-10-18 | - Added mapping of fields "Version", "Level", "Task", "Opcode", "Keywords", "ThreadID", and "PackageName" for EventID: 4776.
- Parsed unsupported Event IDs to set "metadata.event_type" to either "GENERIC_EVENT" or "STATUS_UPDATE". |
| 2023-10-04 | - Mapped "Workstation" field to the "principal.asset_id" UDM field.
- Removed mapping sheet link from WINEVTLOG parser code. |
| 2023-09-20 | - Added about.labels with key as "creator_process_exe" and "new_process_exe" for EventID: 4688
|
| 2023-09-06 | - Parsed "OU", "CN", "DC" fields from the message field for "EventID 4728".
- Copied value of "principal.hostname" to "principal.asset.hostname" if the "principal.asset.hostname" is remaining empty in the parser. - Added support for new EventID: 40962, 53504, 40961 of SourceName "Microsoft-Windows-PowerShell". |
| 2023-08-23 | - Added mapping of fields "AccessMask" and "ObjectType" for EventID: 4656.
- Added support for new EventID: 852, 17137, 49930 of SourceName "MSSQLSERVER". |
| 2023-08-09 | - Added support for new EventID: 2006, 2001, 216, 2003, 2005, 637, 327 of SourceName "ESENT".
- Added support for new EventID: 202, 103, 119, 141, 106, 108, 110, 118, 142 of SourceName "Microsoft-Windows-TaskScheduler". - Added 'convert' filter to handle the parsing for EventID: 4690 of SourceName "Microsoft-Windows-Security-Auditing" - Added support for new EventID: 17063 of SourceName "MSSQLSERVER". |
| 2023-07-26 | - Added support for new EventID: 105 of SourceName "ESENT".
- Added support for new EventID: 4440 of SourceName "Microsoft-Windows-Complus". - Added support for new EventID: 8200, 1004, 1014, 8197, 20482, 1033, 1013, 1067, 12304, 1036, 20489, 20481, 1025, 12305, 12311, 20488 of SourceName "Microsoft-Windows-Security-SPP". - Added support for new EventID: 1281 of SourceName "Microsoft-Windows-TPM-WMI". - Added support for new EventID: 63 of SourceName "Microsoft-Windows-WMI". - Added support for new EventID: 1025, 11724, 1005, 1038, 1029 of SourceName "MsiInstaller". - Added support for new EventID: 7030 of SourceName "Service Control Manager". |
| 2023-07-12 | Resolved validation error for event "SYSTEM_AUDIT_LOG_WIPE". |
| 2023-06-28 | - Added support for new EventID: 4105 of SourceName "Microsoft-Windows-PowerShell".
- Added support for new EventID: 403 of SourceName "PowerShell". |
| 2023-06-14 | Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent". |
| 2023-05-31 | - Added mapping of field "URI" and "Command" for EventID: 4698.
- Added mapping of "AccessMask" for EventID: 4663. - Added mapping of "Message" and "ScriptBlockText" log fields for Event Id: 4104. - Mapped "Opcode" with "about.labels". - Changed mapping for "WorkstationName" log field. - Added support for new EventID: 5447 of SourceName "Microsoft Corporation". - Added a Grok pattern to extract data from "Message" log field for EventID: 4776, 4624, 4672, 4697, 7045. |
| 2023-05-02 | 1. Added support for new EventID: 8 of SourceName "WSH".
2. Added mapping of field "param2" for EventID: 7036. 3. Added support for new ADFS Event IDs: 1200,1201,1202,1203,1204,1205,1206,1207. |
| 2023-04-12 | 1. Added support for new EventIDs 3005 and 3006 of SourceName LogRhythm Agent.
2. Changed mapping of fields "Hostname", "WorkstationName", "ClientName" and "Workstation". |
| 2023-03-29 | 1. For "Event ID 7036", when value is "stopped" in field "param2", changed "security_result.action" from "BLOCK" to "ALLOW".
2. Handled mapping of invalid hostname. Mapped it to "principal.labels" if validation fails. |
| 2023-03-01 | Added support for new format of cloud storage logs. |
| 2023-02-15 | 1. Added support for new EventID: 325 of SourceName Microsoft-Windows-TaskScheduler.
2. Added Support for new EventID: 0 (SourceName: edgeupdate). 3. Added support for new EventID: 8 (SourceName: CylanceSvc). 4. Added mapping for TokenElevationType, MandatoryLabel for EventID: 4688. |
| 2023-02-01 | 1. Added support for IT (Italian) and DE (German) language for parsing EventID 1102
|
| 2022-11-23 | 1. Handled properties field coming in message field for EventID: 4662.
|
| 2022-11-09 | 1. Changed EventType Mapping for EventId: 4776 of Microsoft-Windows-Security-Auditing.
|
| 2022-08-26 | 1. Changed EventType Mapping for EventId: 7036 of Service Control Manager.
|
| 2022-08-12 | 1. Added support for new EventID: 8010, 8017 of SourceName Microsoft-Windows-DNS-Client.
2. Added support for new EventID: 5857, 5858, 5859, 5860 of SourceName Microsoft-Windows-WMI-Activity. 3. For field PossibleCause, added on_error tag for handling replace failure error. 4. If target.hostname is empty then we have mapped DnsHostName with target.hostname UDM field otherwise we have mapped DnsHostName with target.asset.attribute.labels.key/value. |
| 2022-08-01 | 1) Added support for new EventID:8021, 8022, 8025 of SourceName Microsoft-Windows-AppLocker.
2) Added mapping for FilePath,FileHash,Fqbn for EventID 8003, 8004, 8006, 8007. 3) Added mapping of Message field for EventID 1100. 4) Removed target_user_id due to dupliucation issue with target_group_display_name for EventID 4728,4732. 5) Added support for new EventID: 105, 6, 7 of SourceName WudfUsbccidDriver 6) Added support for new EventID: 12 of SourceName Microsoft-Windows-EnhancedStorage-EhStorTcgDrv 7) Added support for new EventID: 11 of SourceName Microsoft-Windows-Wininit 8) Added support for new EventID: 1068 of SourceName Microsoft-Windows-GroupPolicy |
| 2022-07-11 | 1) Added support of new EventID:195, 196 of SourceName Microsoft-Windows-USB-USBHUB3.
2) Added support of new EventID:10001, 10002, 10100 of SourceName Microsoft-Windows-DriverFrameworks-UserMode. 3) Added support of new EventID:1014, 8015, 8018, 8019, 8020, 8027, 8033 of SourceName Microsoft-Windows-DNS-Client. 4) Removed user.role_name and user.role_description, Replaced with user.attribute.roles.name and user.attribute.roles.description 5) Added support for new EventID:2,19 of SourceName Microsoft-Windows-WHEA-Logger. 6) Added support for new EventID:20 of SourceName Microsoft-Windows-Kernel-General. 7) Added support for new EventID:22 of SourceName Microsoft-Windows-UserModePowerService. 8) Added support for new EventID:1000,1001 of SourceName Microsoft-Windows-LoadPerf. 9) Added support for new EventID:132, 142 of SourceName Microsoft-Windows-WinRM. 10) Added support for new EventID:4100 of SourceName Microsoft-Windows-PowerShell. 11) Added support for new EventID:24, 130 of SourceName Microsoft-Windows-Time-Service. 12) Added support for new EventID:10317 of SourceName Microsoft-Windows-NDIS. 13) Added support for new EventID:14205 of SourceName Microsoft-Windows-WMPNSS-Service 14) Added support for new EventID:16963, 16966 of SourceName Microsoft-Windows-Directory-Services-SAM. 11) Added support for new EventID:14, 15, 24 of SourceName TPM. 12) Added support for new EventID:4, 59, 61, 16385, 16392 of SourceName Microsoft-Windows-Bits-Client. 13) Removed Generic_Event usage from WINEVTLOG parser 14) Added mapping of Message field for EventID 104. |
| 2022-07-04 | 1) Added FR language support for EventID 1102.
|
| 2022-06-17 | 1) Added support of new EventID:145 of SourceName Microsoft-Windows-WinRM.
2) Added mapping of Category GUIDs for EventID 4719. 3) Mapped AccountName and Domain by splitting Data_1 field for EventID 8222. |
| 2022-06-07 | 1) Added support of new eventID:77 of Provider name: Microsoft-Windows-CertificationAuthority.
2) Added gsub and modified the grok pattern to avoid incorrect mapping of key 'MemberName' mapped to UDM field 'target.user.user_display_name'. |
| 2022-05-24 | 1) Action set to ALLOW for error code equal to 0x0 for EventID 4776.
2) Added mapping for AuthenticationPackageName for EventID 4624, 4625. 3) Added support for EventID 400 for provider name PowerShell . 4) Added mapping for ScriptBlockID in EventID 4104. 5) Updated mapping of DeviceName for EventID 98, 140 from principal.hostname to target.resource_name. 6) Added support for EventID 3, 60, 100, 187, 1096, 1127, 8000, 8003, 8004, 8006, 8007, 8021, 8024, 10000, 10004, 10111, 14204. 7) Added security_result.severity for EventID 10110. 8) Added ServiceFileName mapping for EventID 7045. 9) Mapped Computer field with intermediary.hostname. 10) Mappedd UserAccountControl for EventID 4738. 11) Added mapping for TargetOutboundUserName in EventID 4624. |
| 2022-05-10 | 1) Enhanced WINEVTLOG parser by adding support of WINDOWS 11 and WINDOWS SERVER 2022 events.
2) Added support of new events: 1202, 102, 11, 10, 18, 1000, 1027, 1025, 10110, 1026, 1282, 1130, 10118, 1, 4000, 4101, 4001, 400. 3) For 5137 & 5141, mapped SubjectLogonId with principal.labels.key/value. 4) Mapped Computer field with intermediary.hostname. 5) For 4719, mapped the value of AuditPolicyChanges with about.labels.key/value. 6) For 5141, mapped ObjectClass field with target.labels.key/value. 7) Action set to ALLOW for error codes equal to 0x0. 8) Added mapping of TargetOutboundUserName in EventID 4624. 9) Added raw value of AccessList in target.resource.attribute.permissions.name. 10) For 4698, 4699 and 4702, mapped task_command with principal.process.file.full_path and task_arguments with principal.process.command_line. |
| 2022-04-27 | Promoted parser from test to new global default.
|
| 2022-04-22 | 1) Added EventID 1202 (Provider name: SceCli) and Event ID 102 (Provider Name: Microsoft-Windows-TaskScheduler).
|
| 2022-04-21 | 1) For every event mapped Message field for Microsoft-Windows-Security-Auditing.
2) For EventID 5137 mapped ObjectClass, ObjectDN. 3) For EventID 5136 mapped AttributeValue. 4) For EventID 4769 mapped TicketOptions, TicketEncryptionType. 5) For EventID 4662 mapped ObjectType 6) For EventID 4625 mapped FailureReason 7) For EventID 4742 mapped SubjectLogonId 8) Mapped Computer as intermediary.hostname. |
| 2022-03-30 | 1) Added mapping of `Channel` field for all the Event IDs.
2) For EventID `5861` and SourceName `Microsoft-Windows-WMI-Activity`, changed mapping of `Channel` field from `security_result.summary` to `about.labels.key/value`. 3) Added mapping of Task field for Event ID 4702. 4) Extracted Event Description from Message field for Event ID 4767. 5) Added gsub to handle "·" present in Message field for Event ID 4719. 6) Added mapping of DSName and DSType field for Event ID 5137 & 5141. 7) Added mapping of ObjectClass field for Event ID 5141. 8) Added mapping of OriginalVolume(Data_9), ShadowDeviceName(Data_8) and ProcessName(Data_3) field for Event ID 8222. 9) Added mapping of OriginalVolume(Data_8) and ShadowDeviceName(Data_7) field for Event ID 8223. |
| 2022-03-29 | 1) Added mapping of TargetLogonId field for Event ID 4624.
2) Added mapping of ServiceSid field for Event ID 4769. 3) Added mapping of NewObjectDN and OldObjectDN fields for Event ID 5139. 4) Added mapping of DnsHostName field for Event ID 4741. 5) Added mapping for SubjectLogonId field. 6 )Mapped actual hostname from FQDN name in Event ID 4768. |