Change log for ADAUDIT_PLUS
Date | Changes |
---|---|
2024-05-20 | Enhancement :
- If the value of the field "outcome" is similar to "Success", set "security_result.action" to "ALLOW". - If the value of the field "msg_data" is similar to "Success", set "security_result.action" to "ALLOW". - Added a Grok pattern over "msg_data" to extract "act", "suid" and "reason". - Mapped "msg_data" to "security_result.description". - Mapped "cs1", "cs3", "cs4", "cs5", "cn1", "cn2", and "cn3" to ""additional.fields". |
2024-01-19 | Enhancement :
- Modified a Grok pattern to parse unparsed logs. - Mapped "IP" to "principal.asset.ip". - Mapped "_PrincipalIP" to "principal.asset.ip". - Mapped "host" to "principal.asset.hostname". - Mapped "principalHost" to "principal.asset.hostname". - Mapped "SOURCE" to "principal.asset.hostname". - Mapped "_TargetIP" to "target.asset.ip". - Mapped "CLIENT_IP_ADDRESS" to "target.asset.hostname". - Mapped "CLIENT_HOST_NAME" to "target.asset.hostname". - Mapped "targetHost" to "target.asset.hostname". |
2023-10-17 | Bug-Fix :
- Added IP check before mapping "IP" to "principal.ip". - Added IP check before mapping "CLIENT_IP_ADDRESS" to "target.ip". - Added validation check for "ACCOUNT_SID" before mapping to "principal.group.windows_sid". - Added validation check for "CALLER_USER_SID" before mapping to "target.group.windows_sid". - When "principal" is present, set "event_type" to "STATUS_UPDATE". - Modified a Grok pattern to parse "file_path" from new pattern of "FORMAT_MESSAGE". - Added a check for "has_target_resource" when "event_type" is "SCHEDULED_TASK_CREATION". |
2023-03-17 | Enhancement :
- Supported CEF format logs and mapped the following fields: - "IP" mapped to "principal.ip". - "LOGIN NAME" mapped to "target.user.userid or target.user.email_addresses or target.user.user_display_name". - "DOMAIN NAME" mapped to "principal.administrative_domain". - "HOST" mapped to "principal.hostname". - "ACCESS_MODE" mapped to "security_result.detection_fields". - "STATUS" mapped to "security_result.summary". - If "STATUS" is "success" then "security_result.action" mapped to "ALLOW" else if "STATUS" is "denied or incorrect" then "security_result.action" mapped to "BLOCK". |