Change log for WINEVTLOG_XML

Date	Changes
2024-02-20	Enhancement: - Added support for new pattern of XML logs embedded in JSON fields. - Added support for "EventIDs" 4947 and 8222. - When "EventID" is 4985, then mapped "SubjectDomainName" to "principal.administrative_domain".
2024-02-13	Enhancement: - Added a block for "EventId" "1309" to parse unparsed logs. - Replaced redundant code with common code. - Mapped "Hostname" to "principal.asset.hostname". - Mapped "WorkstationName", "TargetAccountDomain", "SourceAddress", "DSName", "database_name", and "target_hostname" to "target.asset.hostname".
2024-01-25	Enhancement: - Mapped "Properties" to "target.resource.attribute.labels".
2024-01-05	Enhancement: - Mapped "TargetLogonId", "AccessMask", "CertIssuerName", "TicketOptions", "TargetUserName", "AttributeLDAPDisplayName", "AttributeValues", "ObjectDN" to "additional.fields".
2023-12-29	Enhancement: - Added support for "EventIDs" 0, 208, 219, 233, 1000, 1026, 1315, 10000, 10001, 10002, 10003, 10114, 16969, 17573, 18453, 18454, 36867, 49930 logs. - Added a null check for "registry_key" before setting the "metadata.event_type" to "REGISTRY_MODIFICATION" for "EventID" 13. - Added a null check for "registry_key" before setting the "metadata.event_type" to "REGISTRY_CREATION" for "EventID" 12. - When "target.registry" is empty and "Hostname" is present, then set "metadata.event_type" to "STATUS_UPDATE" for "EventIDs" 12, 13. - Added a regular expression pattern as conditional check for "UserID" to match "windows_sid" pattern for "EventIDs" 7040, 7045. - When "UserID" does not match "windows_sid", then mapped "UserID" to "principal.user.userid" for "EventID" 4070. - When "UserID" does not match "windows_sid", then mapped "UserID" to "target.user.userid" for "EventID" 4075.
2023-11-20	Enhancement: - Added a regular expression pattern as conditional check for "TargetUserSid" to match "windows_sid" pattern. - Added a regular expression pattern as conditional check for "TargetSid" to match "windows_sid" pattern. - Added a regular expression pattern as conditional check for "SubjectUserSid" to match "windows_sid" pattern. - Set "event1.idm.read_only_udm.metadata.event_type" from "STATUS_UPDATE" to "USER_RESOURCE_ACCESS" when "Event.System.EventID" value is "4797". - Mapped "Event.System.Provider@Name" to "event1.principal.application" when "Event.System.EventID" value is "4797". - Mapped "Event.System.Correlation@ActivityID" to "event1.security_result.detection_fields" when "Event.System.EventID" value is "4797". - Mapped "Event.System.Execution@ProcessID" to "event1.principal.process.pid" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@SubjectUserName" to "event1.idm.read_only_udm.principal.user.userid" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@SubjectDomainName" to "event1.idm.read_only_udm.principal.administrative_domain" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@Workstation" to "event1.idm.read_only_udm.target.hostname" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@TargetUserName" to "event1.idm.read_only_udm.target.user.userid" when "Event.System.EventID" value is "4797". - Mapped "Event.EventData.Data@TargetDomainName" to "event1.idm.read_only_udm.target.administrative_domain" when "Event.System.EventID" value is "4797".
2023-11-10	Enhancement: - Added support for EventIDs 4098, 14554 logs. - Mapped "Keywords" to "additional.fields". - Mapped "AttributeLDAPDisplayName" to "target.resource.attribute.labels" for EventId 5136.
2023-11-02	Enhancement: - For logs with EventId 4624: - Added a new Grok pattern to parse log with EventId 4624. - Mapped "PrincipalDomain" to "principal.administrative_domain". - Mapped "PrincipalAccountName" to "principal.user.userid". - Mapped "TargetAccountName" to "target.user.userid". - Mapped "TargetDomain" to "target.administrative_domain". - Mapped "Logon GUID" to "principal.resource.id". - Mapped "ProcessID" to "target.process.pid". - Mapped "SourceAddress" to "principal.ip". - Mapped "Security_ID", "VirtualAccount", "EventCategory", "ImpersonationLevel", "LinkedLogonID", "NetworkAccountName", "NetworkAccountDomain",and "RestrictedAdminMode" to "security_result.detection_fields". - Mapped "LogonID" and "TargetLogonID" to "about.labels". - Mapped "AgentDevice" to "additional.fields". - Mapped "EventType" to "target.registry.registry_key". - Mapped "SourcePort" to "principal.port". - For logs with EventId 4794: - Mapped "Workstation" to "principal.hostname". - Mapped "ProcessId" to "principal.process.pid". - Mapped "SourceName" to "target.application". - Mapped "ProviderGuid" to "target.resource.product_object_id".
2023-10-10	Enhancement: - Added support for EventIDs 403,404,410,510,1001,1502,1100,4105,4703,4793,4797,4954,5158,5379,5827,6417,10016,10028,18452,36871,1073748860,1073747010, 2147483684 logs. - Added support for logs that contain Task =~ "SE_ADT". - Added null check for "AccountName" for EventID=1704,4624,4625,5861.
2023-09-12	Bug-Fix: - Removed mapping of "ProcessName" from "principal.user.userid". - Added support for new pattern of 4781 event logs. - Checked and added "on_error" for "ProviderGuid","LogonID","SourceName","Task","SourceModuleName","SourceModuleType" for EventID=4825. - Added null check for "UserID" for EventID=517. - Added support for new pattern of 4731 event logs.
2023-08-25	- Resolved issue caused due to mapping of "security_result.about.resource.type".
2023-08-21	Bug-Fix: - Mapped "Account Name" to "principal.user.userid" for EventID 4625 logs. - Mapped "Account Domain" to "principal.administrative_domain" for EventID 4625 logs. - Mapped "Workstation Name" to "principal.hostname" for EventID 4625 logs. - Mapped "Caller Process Id" to "principal.process.pid" for EventID 4625 logs. - Mapped "Source Network Address" to "principal.ip" for EventID 4625 logs. - Mapped "Source Port" to "principal.port" for EventID 4625 logs. - Mapped "Logon Process" to "additional.fields" for EventID 4625 logs. - Mapped "Opcode" to "about.labels". - Mapped "SubjectLogonId" to "principal.labels". - Mapped "SubjectUserSid" to "principal.user.windows_sid". - Mapped "ServiceName" to "target.application". - Mapped "ImpersonationLevel" to "about.labels". - Mapped "TargetHandleId" to "about.labels". - Mapped "RestrictedAdminMode" to "about.labels". - Mapped "TargetOutboundDomainName" to "target.user.attribute.labels". - Mapped "KeyLength" to "target.labels". - Mapped "LmPackageName" to "target.labels". - Mapped "TargetLogonId" to "target.labels". - Mapped "TransmittedServices" to "target.labels". - Mapped "TargetLinkedLogonId" to "target.labels". - Mapped "VirtualAccount" to "target.labels". - Mapped "OldSd" to "target.resource.attribute.labels". - Mapped "NewSd" to "target.resource.attribute.labels".
2023-07-24	Enhancement: - Added support for EventID 16384 and 16394. - Handled nested XML EventID logs.
2023-03-17	Enhancement: - Supported key-value format logs. - Mapped "Channel", "SubjectLogonId", and "ThreadId" to "additional.labels". Enhancement: Parsed the logs with EventID's 4674, 4932, and 4933. - When "EventID" is 4731, 4732, 4733, 4734, 4735, 4737, 4798, or 4799, mapped the following: - Mapped "TargetDomainName" to "target.administrative_domain". - Mapped "TargetSid" to "target.user.windows_sid".
2023-01-15	Enhancement: - For "EventId": 8004. - Mapped "Task" to "target.resource.type". - Mapped "DomainName" to "principal.administrative_domain". - Mapped "Keywords","Channel","Level","SChannelName","SChannelType","Opcode" to "". - Mapped "ThreadID" to "target.resource.attribute.labels".
2023-01-13	Enhancement: - Handled unparsed logs having "EventId": 5001, 5007. - Mapped "ProcessID" to "target.process.pid". - Mapped "ProviderGuid" to "target.resource.product_object_id". - Mapped "UserID" to "target.user.windows_sid". - Mapped "ProductName" and "ProductVersion" to "metadata.product_version". - Mapped "metadata.event_type" to "STATUS_UPDATE".
2022-12-06	Enhancement: - Handled unparsed logs having "EventId": 8004.