Change log for ADFS
| Date | Changes |
|---|---|
| 2025-04-22 | Enhancement:
- event.idm.read_only_udm.network.http.parsed_user_agent: Removed the use of convert and rename for the `User Agent` field from `event.idm.read_only_udm.network.http.parsed_user_agent` UDM field and replaced it with replace and convert with on_error. This change ensures that the value is assigned directly and the conversion is performed only if needed, avoiding errors when the field is already a string. - Initialized the `TargetDomainName` and `KeyName` fields with empty strings. - Added a condition to prevent mapping `empty` or `-` values to the `event.idm.read_only_udm.network.http.method`. - Added a condition to prevent mapping `empty` or `--` values to the `event.idm.read_only_udm.network.http.referral_url`. |
| 2025-03-21 | Enhancement:
- "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "EventType" fields from the raw log. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "gmi_sourcetype" fields from the raw log. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "SeverityValue" fields from the raw log. - "security_result.detection_fields" (New UDM field mapping) -> No UDM mapping to mapping of "Task" fields from the raw log. - "security_result.detection_fields" (New UDM field mapping) -> No UDM mapping to mapping of "Opcode" fields from the raw log. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Relying party" fields from the Message field, for EventID 299. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "content_length" fields from the Message field, for EventID 403. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "caller_identity" fields from the Message field, for EventID 403. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "certificate_identity" fields from the Message field, for EventID 403. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Targeted relying party" fields from the Message field, for EventID 403. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "through_proxy" fields from the Message field, for EventID 403. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "proxy_dns_name" fields from the Message field, for EventID 403. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "port" fields from the Message field, for EventID 410. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "x_ms_client_application" fields from the Message field, for EventID 410. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "x_ms_client_user_agent" fields from the Message field, for EventID 410. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "client_request_id" fields from the Message field, for EventID 410. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "x_ms_endpoint_absolute_path" fields from the Message field, for EventID 410. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "x_ms_forwarded_client_ip" fields from the Message field, for EventID 410. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "x_ms_proxy" fields from the Message field, for EventID 410. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "x_ms_adfs_proxy_client_ip" fields from the Message field, for EventID 410. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "port" fields from the Message field, for EventID 500. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "port" fields from the Message field, for EventID 501. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "chronicle_tag" fields from the Message field, for EventID 500. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "chronicle_tag" fields from the Message field, for EventID 501. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Upgrade-Insecure-Requests" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Origin" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Sec-Fetch-Site" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Sec-Fetch-Mode" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Sec-Fetch-User" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Sec-Fetch-Dest" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "X-MS-Forwarded-Client-IP" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "client-request-id" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "X-MS-Proxy" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "X-MS-Endpoint-Absolute-Path" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Cache-Control" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Content-Length" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Content-Type" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Accept" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Accept-Encoding" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Accept-Language" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Cookie" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Expect" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Host" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Referer" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "Connection" fields from the Message field, for EventID 510. - "additional.fields" (New UDM field mapping) -> No UDM mapping to mapping of "charset" fields from the Message field, for EventID 510. - Added support for new EventID 1102, 1203 and 1210. |
| 2025-03-20 | Enhancement:
- Mapped "data" to "security_result.detection_fields" when Index is "1" with the key as "Activity ID". - Mapped "data" to "security_result.detection_fields" when Index is "2" with the key as "Request ID". - Mapped "data" to "principal.ip" and "principal.asset.ip" when Index is "4". - Mapped "data" to "network.http.method" when Index is "5". - Mapped "data" to "network.http.referral_url" when Index is "7". - Mapped "data" to "network.http.response_code" when Index is "8". - Mapped "data" to "target.ip" and "target.asset.ip" when Index is "9". - Mapped "data" to "network.http.user_agent" and "network.http.parsed_user_agent" when Index is "10". - If "metadata.event_type" is "GENERIC_EVENT", "STATUS_UPDATE", or "USER_UNCATEGORIZED", and if "has_principal" is "true", "has_target" is "true", and "has_user" is "true", then the "metadata.event_type" will be set to "USER_LOGIN" and "extensions.auth.type" will be set to "AUTHTYPE_UNSPECIFIED". - If "metadata.event_type" is "GENERIC_EVENT", "STATUS_UPDATE", or "USER_UNCATEGORIZED", and if "has_principal" is "true", "has_target" is "true", and "is_http" is "true", then the "metadata.event_type" will be set to "NETWORK_HTTP". - If "metadata.event_type" is "GENERIC_EVENT", "STATUS_UPDATE", or "USER_UNCATEGORIZED", and if "has_principal" is "true" and "has_target" is "true", then the "metadata.event_type" will be set to "NETWORK_CONNECTION". |
| 2025-03-10 | Enhancement:
- Changed user_id mapping to principal.user.userid to target.user.user_id. |
| 2025-02-20 | Enhancement:
- Mapped "principal_user" to "principal.user.userid". - Added "gsub" to parse fields correctly. |
| 2024-11-21 | Enhancement:
- Added support for a new format of JSON logs. - Changed "metadata.event_type" from "STATUS_UNCATEGORIZED" to "STATUS_UPDATE" where "has_principal" is true. - Changed "metadata.event_type" from "SYSTEM_AUDIT_LOG_UNCATEGORIZED" to "STATUS_UPDATE" where "has_principal" is true. |
| 2024-09-09 | Enhancement:
- Mapped "_raw.Event.System.Computer" to "principal.hostname" and "principal.asset.hostname". - Mapped "_raw.Event.System.EventRecordID" to "metadata.product_log_id". - Mapped "_raw.Event.System.Channel", "_raw.Event.System.Keywords", "_raw.Event.System.Task", "_raw.Event.System.Level", "_raw.Event.System.EventID._value", "_raw.Event.System.EventID.Qualifiers", "source", "index", "sourcetype", "host", and "cribl" to "additional.fields". |
| 2024-08-28 | Enhancement:
- Added support for the XML logs with "AuditBase" fields. |
| 2024-07-31 | Enhancement:
- Added support for a new format of JSON logs. |
| 2024-07-30 | Enhancement:
- Added support for the XML logs. |
| 2024-05-27 | Enhancement
- Added a Grok pattern to extract "Instance ID" from "Message" and map it to "target.resource.product_object_id". |
| 2023-08-18 | Enhancement
- Added a Grok pattern to extract "email" from "Message" and map it to "principal.user.email_addresses". |
| 2023-06-31 | Enhancement
- Mapped the field "user_email" to "principal.user.email_addresses". - Mapped the field "X-Forwarded-For" to "additional.fields". |
| 2023-06-26 | Enhancement
- Added kv block to extract the values from the field "Message" where "EventID" is "404", "403", "342", "364". - Mapped the field "Protocol Name" to "additional.fields". - Mapped the field "Relying Party" to "additional.fields". - Mapped the field "Exception details" to "additional.fields". - Mapped the field "Token Type" to "additional.fields". - Mapped the field "Error message" to "additional.fields". - Mapped the field "Client IP" to "principal.ip". - Mapped the field "Local IP" to "target.ip". - Mapped the field "Local Port" to "target.port". - Mapped the field "Url Absolute Path", "Query string" to "target.url". - Mapped the field "Instance ID" to "target.resource.product_object_id". - Mapped the field "Activity ID" to "security_result.detection_fields". - Mapped the field "Status Code" to "network.http.response_code". - Mapped the field "HTTP Method" to "network.http.method". - Mapped the field "User Agent" to "network.http.user_agent" and "network.http.parsed_user_agent". |
| 2023-06-08 | Enhancement
- Added 'on_error' condition for 'EventID' and 'RecordNumber' conversion. - Added validation check for the event_type 'SYSTEM_AUDIT_LOG_UNCATEGORIZED'. - Changed 'metadata.event_type' from 'GENERIC_EVENT' to 'STATUS_UPDATE' where 'principal.hostname' is not null. |
| 2023-02-02 | Enhancement
- Added "UNIX","UNIX_MS","ISO8601" in date block to parse logs for which "EventTime","EventReceivedTime" might be in this format. |
| 2022-08-09 | Bug fix
- Mapped AdapterSuffixName field to intermediary.hostname . |
| 2022-07-08 | Enhancement:
- Modified mapping for the field 'AdapterSuffixName' from 'target.asset.hostname' to 'intermediary.hostname'. |
| 2022-05-18 | Newly Created Parser
|