Change log for WINEVTLOG_XML

Date Changes
2024-11-27 Enhancement:
- Added support to parse unparsed logs.
2024-11-27 Enhancement:
- Added support to parse unparsed logs.
2024-11-04 Enhancement:
- Added a new Grok pattern to parse the data that was not parsed earlier.
- Added support to parse failed logs.
- Mapped "hostname_prin" to "principal.hostname".
- Mapped "ip" to "principal.ip" and "principal.asset.ip".
- Mapped "Account Name" to "target.yser.userid" and "principal.user.userid".
2024-10-27 Enhancement:
- Added support for new pattern of SYSLOG logs.
2024-10-18 Enhancement:
- Mapped "AttributeSyntaxOID" and "OperationType" to "additional.fields".
- Modified the XML pattern to parse "OpCorrelationID" and "ObjectGUID".
2024-10-10 Enhancement:
- Added support for a new pattern of syslog logs.
- Changed EventId mapping from "column4" to "column6".
2024-10-04 Enhancement:
- Added support for new pattern of SYSLOG logs.
2024-10-01 Enhancement:
- Modified the XML pattern to parse "LogonProcessName".
2024-09-24 Enhancement:
- Added new Grok patterns to parse "task_command" and "task_arguments" fields.
2024-09-03 Enhancement:
- Mapped "DomainPolicyChanged" to "security_result.detection_fields".
2024-08-30 Enhancement:
- Added support to handle unparsed SYSLOG + KV logs.
- Modified mappong for "AttributeLDAPDisplayName" from "target.resource.type" to "target.resource.resource_subtype".
- Handled logs having "EventId" as 4826.
- Mapped "MemberSid" to "principal.resource.attribute.labels".
2024-08-27 Enhancement:
- Modified FILE/USER/NETWORK/STATUS uncategorized events to appropriate event types.
2024-08-21 Enhancement:
- Added support to parse syslog and CSV logs.
2024-08-16 Enhancement:
- Mapped "source" to "about.process.command_line".
2024-08-13 Enhancement:
- Added support for new format of syslog and JSON logs.
2024-08-08 Enhancement:
- Mapped "task_command" to "principal.process.file.full_path" and "task_arguments" to "principal.process.command_line" for EventIDs "4698", "4699", "4700", "4701", and "4702".
2024-08-06 Enhancement:
- Added support to parse logs with EventIDs 1149, 21, and 4611.
- Added support to map "CallerProcessName" to "target.file.full_path" for logs with EventId 4799.
- Mapped "Param1" to "target.user.userid".
- Mapped "Param2" to "principal.administrative_domain".
- Mapped "Param3" to "principal.ip".
- Added a grok pattern to parse UserData from field "Message".
2024-07-26 Enhancement:
- Added support to parse dropped logs.
- Mapped "SubjectUserName" and "SubjectUserSid" to "additional.fields".
2024-07-08 Enhancement:
- Mapped "Hostname" to "additional.fields" with "src" as the key.
- Added support to parse logs for EventID 5157.
- Mapped "UserRight", and "AuditSourceName" to "security_result.detection_fields".
- Added support for McAfee logs.
2024-06-24 Enhancement:
- Added support to parse dropped logs.
- Mapped "PackageName" to "security_result.detection_fields".
2024-06-10 Bug-Fix, Enhancement:
- Added "gsub" for "NewProcessName" to restore "C~" to "C:".
- Added "gsub" for "Task Name" and "Auditing Settings" to parse them properly.
- Added a Grok pattern for "Logon Type" for EventID 4634.
- Mapped "AgentLogFile" to "additional.fields".
2024-05-20 Enhancement, Bug-Fix:
- Added support to parse logs for EventIDs 5807, 5723, 5721, 5840, 5802.
- Changed mapping of "TargetUserName" from "additional.fields" to "target.user.userid".
- Mapped "SubjectAccountName" to "principal.user.userid" and "TargetAccountName" to "target.user.userid" for EventIDs 4648, 4624, and 4720.
- Mapped "ProcessName" to "target.process.file.full_path" for EventID 1.
- Mapped "TargetServerName" to "additional.fields".
- Added "gsub" for "Source Workstation" and "Error Code" fields to avoid "Error" getting mapped to "principal.hostname".
2024-05-14 Enhancement:
- Added support to parse logs for EventID 4739.
2024-05-06 Enhancement:
- Mapped "Privileges" to "security_result.detection_fields".
2024-04-23 Enhancement:
- Added support to map "Logon Type" for logs with EventIds 4624.
- Mapped "Logon Type" to "additional.fields".
2024-04-23 Enhancement:
- Added support to map "Logon Type" for logs with EventIds 4624.
- Mapped "Logon Type" to "additional.fields".
2024-04-16 Enhancement:
- Mapped "IpAddress1" to "principal.ip" when "EventID" is 4625.
- Mapped "AccessRight" to "additional.fields" as per its corresponding values.
2024-03-25 Enhancement:
- Added additional mapping of fields for logs with EventIds 4648, 4771.
2024-03-15 Enhancement:
- Changed mapping of "principal.user.user_display_name" to "target.user.user_display_name" for "EventIDs" 4732,4733,4728,4729,4756,4757,4746,4747,4751,4752,4761,4762 logs.
- When "EventID" is 5140, then mapped "ShareName" to "target.file.names".
- When "EventID" is 4624, then mapped "LmPackageName" to "target.labels".
2024-02-20 Enhancement:
- Added support for new pattern of XML logs embedded in JSON fields.
- Added support for "EventIDs" 4947 and 8222.
- When "EventID" is 4985, then mapped "SubjectDomainName" to "principal.administrative_domain".
2024-02-13 Enhancement:
- Added a block for "EventId" "1309" to parse unparsed logs.
- Replaced redundant code with common code.
- Mapped "Hostname" to "principal.asset.hostname".
- Mapped "WorkstationName", "TargetAccountDomain", "SourceAddress", "DSName", "database_name", and "target_hostname" to "target.asset.hostname".
2024-01-25 Enhancement:
- Mapped "Properties" to "target.resource.attribute.labels".
2024-01-05 Enhancement:
- Mapped "TargetLogonId", "AccessMask", "CertIssuerName", "TicketOptions", "TargetUserName", "AttributeLDAPDisplayName", "AttributeValues", "ObjectDN" to "additional.fields".
2023-12-29 Enhancement:
- Added support for "EventIDs" 0, 208, 219, 233, 1000, 1026, 1315, 10000, 10001, 10002, 10003, 10114, 16969, 17573, 18453, 18454, 36867, 49930 logs.
- Added a null check for "registry_key" before setting the "metadata.event_type" to "REGISTRY_MODIFICATION" for "EventID" 13.
- Added a null check for "registry_key" before setting the "metadata.event_type" to "REGISTRY_CREATION" for "EventID" 12.
- When "target.registry" is empty and "Hostname" is present, then set "metadata.event_type" to "STATUS_UPDATE" for "EventIDs" 12, 13.
- Added a regular expression pattern as conditional check for "UserID" to match "windows_sid" pattern for "EventIDs" 7040, 7045.
- When "UserID" does not match "windows_sid", then mapped "UserID" to "principal.user.userid" for "EventID" 4070.
- When "UserID" does not match "windows_sid", then mapped "UserID" to "target.user.userid" for "EventID" 4075.
2023-11-20 Enhancement:
- Added a regular expression pattern as conditional check for "TargetUserSid" to match "windows_sid" pattern.
- Added a regular expression pattern as conditional check for "TargetSid" to match "windows_sid" pattern.
- Added a regular expression pattern as conditional check for "SubjectUserSid" to match "windows_sid" pattern.
- Set "event1.idm.read_only_udm.metadata.event_type" from "STATUS_UPDATE" to "USER_RESOURCE_ACCESS" when "Event.System.EventID" value is "4797".
- Mapped "Event.System.Provider@Name" to "event1.principal.application" when "Event.System.EventID" value is "4797".
- Mapped "Event.System.Correlation@ActivityID" to "event1.security_result.detection_fields" when "Event.System.EventID" value is "4797".
- Mapped "Event.System.Execution@ProcessID" to "event1.principal.process.pid" when "Event.System.EventID" value is "4797".
- Mapped "Event.EventData.Data@SubjectUserName" to "event1.idm.read_only_udm.principal.user.userid" when "Event.System.EventID" value is "4797".
- Mapped "Event.EventData.Data@SubjectDomainName" to "event1.idm.read_only_udm.principal.administrative_domain" when "Event.System.EventID" value is "4797".
- Mapped "Event.EventData.Data@Workstation" to "event1.idm.read_only_udm.target.hostname" when "Event.System.EventID" value is "4797".
- Mapped "Event.EventData.Data@TargetUserName" to "event1.idm.read_only_udm.target.user.userid" when "Event.System.EventID" value is "4797".
- Mapped "Event.EventData.Data@TargetDomainName" to "event1.idm.read_only_udm.target.administrative_domain" when "Event.System.EventID" value is "4797".
2023-11-10 Enhancement:
- Added support for EventIDs 4098, 14554 logs.
- Mapped "Keywords" to "additional.fields".
- Mapped "AttributeLDAPDisplayName" to "target.resource.attribute.labels" for EventId 5136.
2023-11-02 Enhancement:
- For logs with EventId 4624:
- Added a new Grok pattern to parse log with EventId 4624.
- Mapped "PrincipalDomain" to "principal.administrative_domain".
- Mapped "PrincipalAccountName" to "principal.user.userid".
- Mapped "TargetAccountName" to "target.user.userid".
- Mapped "TargetDomain" to "target.administrative_domain".
- Mapped "Logon GUID" to "principal.resource.id".
- Mapped "ProcessID" to "target.process.pid".
- Mapped "SourceAddress" to "principal.ip".
- Mapped "Security_ID", "VirtualAccount", "EventCategory", "ImpersonationLevel", "LinkedLogonID", "NetworkAccountName", "NetworkAccountDomain",and "RestrictedAdminMode" to "security_result.detection_fields".
- Mapped "LogonID" and "TargetLogonID" to "about.labels".
- Mapped "AgentDevice" to "additional.fields".
- Mapped "EventType" to "target.registry.registry_key".
- Mapped "SourcePort" to "principal.port".
- For logs with EventId 4794:
- Mapped "Workstation" to "principal.hostname".
- Mapped "ProcessId" to "principal.process.pid".
- Mapped "SourceName" to "target.application".
- Mapped "ProviderGuid" to "target.resource.product_object_id".
2023-10-10 Enhancement:
- Added support for EventIDs 403,404,410,510,1001,1502,1100,4105,4703,4793,4797,4954,5158,5379,5827,6417,10016,10028,18452,36871,1073748860,1073747010,
2147483684 logs.
- Added support for logs that contain Task =~ "SE_ADT".
- Added null check for "AccountName" for EventID=1704,4624,4625,5861.
2023-09-12 Bug-Fix:
- Removed mapping of "ProcessName" from "principal.user.userid".
- Added support for new pattern of 4781 event logs.
- Checked and added "on_error" for "ProviderGuid","LogonID","SourceName","Task","SourceModuleName","SourceModuleType" for EventID=4825.
- Added null check for "UserID" for EventID=517.
- Added support for new pattern of 4731 event logs.
2023-08-25 - Resolved issue caused due to mapping of "security_result.about.resource.type".
2023-08-21 Bug-Fix:
- Mapped "Account Name" to "principal.user.userid" for EventID 4625 logs.
- Mapped "Account Domain" to "principal.administrative_domain" for EventID 4625 logs.
- Mapped "Workstation Name" to "principal.hostname" for EventID 4625 logs.
- Mapped "Caller Process Id" to "principal.process.pid" for EventID 4625 logs.
- Mapped "Source Network Address" to "principal.ip" for EventID 4625 logs.
- Mapped "Source Port" to "principal.port" for EventID 4625 logs.
- Mapped "Logon Process" to "additional.fields" for EventID 4625 logs.
- Mapped "Opcode" to "about.labels".
- Mapped "SubjectLogonId" to "principal.labels".
- Mapped "SubjectUserSid" to "principal.user.windows_sid".
- Mapped "ServiceName" to "target.application".
- Mapped "ImpersonationLevel" to "about.labels".
- Mapped "TargetHandleId" to "about.labels".
- Mapped "RestrictedAdminMode" to "about.labels".
- Mapped "TargetOutboundDomainName" to "target.user.attribute.labels".
- Mapped "KeyLength" to "target.labels".
- Mapped "LmPackageName" to "target.labels".
- Mapped "TargetLogonId" to "target.labels".
- Mapped "TransmittedServices" to "target.labels".
- Mapped "TargetLinkedLogonId" to "target.labels".
- Mapped "VirtualAccount" to "target.labels".
- Mapped "OldSd" to "target.resource.attribute.labels".
- Mapped "NewSd" to "target.resource.attribute.labels".
2023-07-24 Enhancement:
- Added support for EventID 16384 and 16394.
- Handled nested XML EventID logs.
2023-03-17 Enhancement:
- Supported key-value format logs.
- Mapped "Channel", "SubjectLogonId", and "ThreadId" to "additional.labels".
Enhancement: Parsed the logs with EventID's 4674, 4932, and 4933.
- When "EventID" is 4731, 4732, 4733, 4734, 4735, 4737, 4798, or 4799, mapped the following:
- Mapped "TargetDomainName" to "target.administrative_domain".
- Mapped "TargetSid" to "target.user.windows_sid".
2023-01-15 Enhancement:
- For "EventId": 8004.
- Mapped "Task" to "target.resource.type".
- Mapped "DomainName" to "principal.administrative_domain".
- Mapped "Keywords","Channel","Level","SChannelName","SChannelType","Opcode" to "".
- Mapped "ThreadID" to "target.resource.attribute.labels".
2023-01-13 Enhancement:
- Handled unparsed logs having "EventId": 5001, 5007.
- Mapped "ProcessID" to "target.process.pid".
- Mapped "ProviderGuid" to "target.resource.product_object_id".
- Mapped "UserID" to "target.user.windows_sid".
- Mapped "ProductName" and "ProductVersion" to "metadata.product_version".
- Mapped "metadata.event_type" to "STATUS_UPDATE".
2022-12-06 Enhancement:
- Handled unparsed logs having "EventId": 8004.