Change log for ADAUDIT_PLUS

Date Changes
2024-05-20 Enhancement :
- If the value of the field "outcome" is similar to "Success", set "security_result.action" to "ALLOW".
- If the value of the field "msg_data" is similar to "Success", set "security_result.action" to "ALLOW".
- Added a Grok pattern over "msg_data" to extract "act", "suid" and "reason".
- Mapped "msg_data" to "security_result.description".
- Mapped "cs1", "cs3", "cs4", "cs5", "cn1", "cn2", and "cn3" to ""additional.fields".
2024-01-19 Enhancement :
- Modified a Grok pattern to parse unparsed logs.
- Mapped "IP" to "principal.asset.ip".
- Mapped "_PrincipalIP" to "principal.asset.ip".
- Mapped "host" to "principal.asset.hostname".
- Mapped "principalHost" to "principal.asset.hostname".
- Mapped "SOURCE" to "principal.asset.hostname".
- Mapped "_TargetIP" to "target.asset.ip".
- Mapped "CLIENT_IP_ADDRESS" to "target.asset.hostname".
- Mapped "CLIENT_HOST_NAME" to "target.asset.hostname".
- Mapped "targetHost" to "target.asset.hostname".
2023-10-17 Bug-Fix :
- Added IP check before mapping "IP" to "principal.ip".
- Added IP check before mapping "CLIENT_IP_ADDRESS" to "target.ip".
- Added validation check for "ACCOUNT_SID" before mapping to "principal.group.windows_sid".
- Added validation check for "CALLER_USER_SID" before mapping to "target.group.windows_sid".
- When "principal" is present, set "event_type" to "STATUS_UPDATE".
- Modified a Grok pattern to parse "file_path" from new pattern of "FORMAT_MESSAGE".
- Added a check for "has_target_resource" when "event_type" is "SCHEDULED_TASK_CREATION".
2023-03-17 Enhancement :
- Supported CEF format logs and mapped the following fields:
- "IP" mapped to "principal.ip".
- "LOGIN NAME" mapped to "target.user.userid or target.user.email_addresses or target.user.user_display_name".
- "DOMAIN NAME" mapped to "principal.administrative_domain".
- "HOST" mapped to "principal.hostname".
- "ACCESS_MODE" mapped to "security_result.detection_fields".
- "STATUS" mapped to "security_result.summary".
- If "STATUS" is "success" then "security_result.action" mapped to "ALLOW" else if "STATUS" is "denied or incorrect" then "security_result.action" mapped to "BLOCK".