Change log for AZURE_AD
| Date | Changes |
|---|---|
| 2025-08-24 | Enhancement:
- 'event.idm.read_only_udm.network.session_id': Newly mapped 'sessionId' raw log field with 'event.idm.read_only_udm.network.session_id' UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped 'tokenIssuerType', 'clientCredentialType', 'processingTimeInMilliseconds', 'appOwnerTenantId', 'userType', 'originalTransferMethod' and 'resourceOwnerTenantId' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.target.resource.attribute.labels': Newly mapped 'resourceTenantId' raw log field with 'event.idm.read_only_udm.target.resource.attribute.labels' UDM field. - 'event.idm.read_only_udm.principal.resource.attribute.labels': Newly mapped 'homeTenantId' and 'servicePrincipalId' raw log field with 'event.idm.read_only_udm.principal.resource.attribute.labels' UDM field. - 'event.idm.read_only_udm.security_result.detection_fields': Newly mapped 'flaggedForReview', 'isTenantRestricted', 'tokenProtectionStatusDetails.signInSessionStatus', 'authenticationContextClassReference.id', and 'authenticationContextClassReference.detail' raw log field with 'event.idm.read_only_udm.security_result.detection_fields' UDM field. - 'event.idm.read_only_udm.additional.fields': Removed mapping of `failureReason` from `event.idm.read_only_udm.additional.fields` UDM field. 'event.idm.read_only_udm.additional.fields': Mapped `failureReason` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. |
| 2025-08-19 | Enhancement:
- 'event.idm.read_only_udm.additional.fields': Newly mapped 'uniqueTokenIdentifier' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.network.session_id': Newly mapped 'sessionId' raw log field with 'event.idm.read_only_udm.network.session_id' UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped 'incomingTokenType' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped 'autonomousSystemNumber' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.additional.fields': Newly mapped 'crossTenantAccessType' raw log field with 'event.idm.read_only_udm.additional.fields' UDM field. - 'event.idm.read_only_udm.security_result.detection_fields': Newly mapped 'signInTokenProtectionStatus' raw log field with 'event.idm.read_only_udm.security_result.detection_fields' UDM field. |
| 2025-08-13 | Enhancement:
- 'event.idm.read_only_udm.security_result.rule_id': Removed mapping of 'resultType' from event.idm.read_only_udm.security_result.rule_id UDM field as the policy id is also mapped to 'event.idm.read_only_udm.security_result.rule_id' UDM field which is creating confusion between the values. - 'event.idm.read_only_udm.additional.fields': Mapped 'resultType' raw log field with event.idm.read_only_udm.additional.fields UDM field. |
| 2025-08-11 | Enhancement:
- 'event.idm.read_only_udm.target.user.userid': Newly mapped TargetUserName raw log field to event.idm.read_only_udm.target.user.userid. - 'event.idm.read_only_udm.target.user.windows_sid': Newly mapped TargetUserSid and TargetSid raw log fields to event.idm.read_only_udm.target.user.windows_sid. - 'event.idm.read_only_udm.target.administrative_domain': Newly mapped TargetDomainName raw log field to event.idm.read_only_udm.target.administrative_domain. - 'event.idm.read_only_udm.principal.user.userid': Newly mapped SubjectUserName raw log field to event.idm.read_only_udm.principal.user.userid. - 'event.idm.read_only_udm.principal.user.windows_sid': Newly mapped SubjectUserSid raw log field to event.idm.read_only_udm.principal.user.windows_sid. - 'event.idm.read_only_udm.principal.administrative_domain': Newly mapped SubjectDomainName raw log field to event.idm.read_only_udm.principal.administrative_domain. - 'event.idm.read_only_udm.principal.ip': Newly mapped IpAddress and SourceIpAddress raw log fields to event.idm.read_only_udm.principal.ip. - 'event.idm.read_only_udm.principal.asset.ip': Newly mapped IpAddress and SourceIpAddress raw log fields to event.idm.read_only_udm.principal.asset.ip. - 'event.idm.read_only_udm.principal.port': Newly mapped IpPort raw log field to event.idm.read_only_udm.principal.port. - 'event.idm.read_only_udm.principal.resource.attribute.labels': Newly mapped SubjectLogonId raw log field to event.idm.read_only_udm.principal.resource.attribute.labels. - 'event.idm.read_only_udm.target.resource.attribute.labels': Newly mapped TargetLogonId, LmPackageName, ObjectServer, and HandleId raw log fields to event.idm.read_only_udm.target.resource.attribute.labels. - 'event.idm.read_only_udm.target.process.file.names': Newly mapped LogonProcessName raw log field to event.idm.read_only_udm.target.process.file.names. - 'event.idm.read_only_udm.extensions.auth.auth_details': Newly mapped LogonType raw log field to event.idm.read_only_udm.extensions.auth.auth_details. - 'event.idm.read_only_udm.target.hostname': Newly mapped WorkstationName raw log field to event.idm.read_only_udm.target.hostname. - 'event.idm.read_only_udm.target.asset.hostname': Newly mapped WorkstationName raw log field to event.idm.read_only_udm.target.asset.hostname. - 'event.idm.read_only_udm.target.process.pid': Newly mapped ProcessId raw log field to event.idm.read_only_udm.target.process.pid. - 'event.idm.read_only_udm.target.process.file.full_path': Newly mapped ProcessName raw log field to event.idm.read_only_udm.target.process.file.full_path. - 'event.idm.read_only_udm.principal.process.pid': Newly mapped CallerProcessId raw log field to event.idm.read_only_udm.principal.process.pid. - 'event.idm.read_only_udm.principal.process.file.full_path': Newly mapped CallerProcessName raw log field to event.idm.read_only_udm.principal.process.file.full_path. - 'event.idm.read_only_udm.target.resource.resource_subtype': Newly mapped ObjectType raw log field to event.idm.read_only_udm.target.resource.resource_subtype. - 'event.idm.read_only_udm.target.resource.name': Newly mapped ObjectName raw log field to event.idm.read_only_udm.target.resource.name. - 'event.idm.read_only_udm.target.application': Newly mapped ServiceName raw log field to event.idm.read_only_udm.target.application. - 'event.idm.read_only_udm.target.resource.user.windows_sid': Newly mapped ServiceSid raw log field to event.idm.read_only_udm.target.resource.user.windows_sid. - 'event.idm.read_only_udm.metadata.product_log_id': Newly mapped EventRecordID (from properties.RecordId) raw log field to event.idm.read_only_udm.metadata.product_log_id. - 'event.idm.read_only_udm.security_result.about.resource.name': Newly mapped AuthenticationPackageName raw log field to event.idm.read_only_udm.security_result.about.resource.name. - 'event.idm.read_only_udm.security_result.description': Newly mapped resultDescription raw log field to event.idm.read_only_udm.security_result.description. - 'event.idm.read_only_udm.about.artifact.last_https_certificate.serial_number': Newly mapped CertSerialNumber raw log field to event.idm.read_only_udm.about.artifact.last_https_certificate.serial_number. - 'event.idm.read_only_udm.additional.fields': Newly mapped KeyLength, ImpersonationLevel, CertIssuerName, and CertThumbprint raw log fields to event.idm.read_only_udm.additional.fields. - 'event.idm.read_only_udm.security_result.detection_fields': Newly mapped LogonGuid, TransmittedServices, OldSd, TicketOptions, Status, TicketEncryptionType and NewSd raw log fields to event.idm.read_only_udm.security_result.detection_fields. - 'event.idm.read_only_udm.metadata.event_type': Added logic to set event.idm.read_only_udm.metadata.event_type to USER_CHANGE_PERMISSIONS or USER_LOGOUT based on category and resultDescription fields. - 'event.idm.read_only_udm.extensions.auth.mechanism': Newly mapped PreAuthType raw log field to event.idm.read_only_udm.extensions.auth.mechanism. |
| 2025-08-04 | Enhancement:
- event.idm.read_only_udm.security_result.rule_id: Removed mapping of 'errorCode' from event.idm.read_only_udm.security_result.rule_id UDM field as the policy id is already mapped in 'event.idm.read_only_udm.security_result.rule_id' UDM field. - event.idm.read_only_udm.security_result.detection_fields: Mapped 'errorCode' raw log field with event.idm.read_only_udm.security_result.detection_fields UDM field. - event.idm.read_only_udm.security_result.detection_fields: Newly mapped 'properties.status.errorCode' raw log field with event.idm.read_only_udm.security_result.detection_fields UDM field. |
| 2025-07-04 | Enhancement:
- event.idm.read_only_udm.metadata.event_timestamp: Newly mapped "record_time" with "event.idm.read_only_udm.metadata.event_timestamp" UDM field by replacing the value of "record.time" with "record_time". - event.idm.read_only_udm.target.resource.product_object_id : Newly mapped "record_resourceId" field with "event.idm.read_only_udm.target.resource.product_object_id" UDM field by replacing the value of "record.resourceId" with "record_resourceId". - event.idm.read_only_udm.target.user.user_display_name: Newly mapped "record_identity" field with "event.idm.read_only_udm.target.user.user_display_name" UDM field by replacing the value of "record.identity" with "record_identity". - security_result.severity_details: Newly mapped "record_Level" field with "security_result.severity_details" UDM field by replacing the value of "record.Level" with "record_Level". - event.idm.read_only_udm.metadata.product_event_type: Newly mapped "record_operationName" with "event.idm.read_only_udm.metadata.product_event_type" UDM field by replacing the value of "record.operationName" with "record_operationName". - event.idm.read_only_udm.extensions.auth.type: Set to "AUTHTYPE_UNSPECIFIED" if "record_operationName" equals "Sign-in activity" and "has_target_user" is "true". - Set "event_type" to "USER_LOGIN" if "record_operationName" equals "Sign-in activity" and "has_target_user" is "true". - event.idm.read_only_udm.metadata.product_version: Newly mapped "record_operationVersion" with "event.idm.read_only_udm.metadata.product_version" UDM field by replacing the value of "record.operationVersion" with "record_operationVersion". - event.idm.read_only_udm.metadata.description: Newly mapped "record_category" with "event.idm.read_only_udm.metadata.description" UDM field by replacing the value of "record.category" with "record_category". - event.idm.read_only_udm.metadata.product_deployment_id: Newly mapped "record_tenantId" with "event.idm.read_only_udm.metadata.product_deployment_id" UDM field by replacing the value of "record.tenantId" with "record_tenantId". - event.idm.read_only_udm.additional.fields: Newly mapped "record_resultType", "record_durationMs" ,"record_properties_id" with "event.idm.read_only_udm.additional.fields" UDM field by replacing the value of "record.resultType" with "record_resultType", "record.durationMs" with "record_durationMs" and "record.properties.id" with "record_properties_id". - Set "event.idm.read_only_udm.security_result.summary" to "Successful login occurred" and "action" to "ALLOW" if "record_resultType" is "0" and "record_operationName" is "Sign-in activity". - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped "record_resultSignature" ,"record_properties_appId" with "event.idm.read_only_udm.target.resource.attribute.labels" UDM field by replacing the value of "record.resultSignature" with "record_resultSignature" and "record.properties.appId" with "record_properties_appId". - event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip: Newly mapped "record_callerIpAddress", "record_properties_ipAddress" with "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip" UDM fields by replacing the value of "record.callerIpAddress" with "record_callerIpAddress" and "record.properties.ipAddress" with "record_properties_ipAddress". - event.idm.read_only_udm.metadata.product_log_id: Newly mapped "record_correlationId" with "event.idm.read_only_udm.metadata.product_log_id" UDM field by replacing the value of "record.correlationId" with "record_correlationId". - event.idm.read_only_udm.target.user.attribute.labels: Newly mapped "record_properties_userDisplayName" with "event.idm.read_only_udm.target.user.attribute.labels" UDM field by replacing the value of "record.properties.userDisplayName" with "record_properties_userDisplayName". - event.idm.read_only_udm.target.user.email_address: Newly mapped "record_properties_userPrincipalName" with "event.idm.read_only_udm.target.user.email_address" UDM field by replacing the value of "record.properties.userPrincipalName" with "record_properties_userPrincipalName". - event.idm.read_only_udm.target.user.product_object_id: Newly mapped "record_properties_userId" with "event.idm.read_only_udm.target.user.product_object_id" UDM field by replacing the value of "record.properties.userId" with "record_properties_userId". - event.idm.read_only_udm.target.application: Newly mapped "record_properties_appDisplayName" with "event.idm.read_only_udm.target.application" UDM field by replacing the value of "record.properties.appDisplayName" with "record_properties_appDisplayName". - if "record_properties_status_errorCode" is "0", then set "event.idm.read_only_udm.security_result.summary" to "Successful login occurred" and "event.idm.read_only_udm.security_result.action" to "ALLOW" by replacing the value of "record.properties.status.errorCode" with "record_properties_status_errorCode". - event.idm.read_only_udm.principal.application: Newly mapped "record_properties_clientAppUsed" with "event.idm.read_only_udm.principal.application" UDM field by replacing the value of "record.properties.clientAppUsed" with "record_properties_clientAppUsed". - event.idm.read_only_udm.network.http.user_agent,event.idm.read_only_udm.network.http.parsed_user_agent: Newly mapped "record_properties_userAgent" with "event.idm.read_only_udm.network.http.user_agent","event.idm.read_only_udm.network.http.parsed_user_agent" UDM fields by replacing the value of "record.properties.userAgent" with "record_properties_userAgent". - event.idm.read_only_udm.target.resource.attribute.labels: Newly mapped "record_properties_UDI_RequiredFields_TenantId" ,"record_properties_UDI_RequiredFields_UniqueId","record_properties_UDI_RequiredFields_EventTime","record_properties_operationId","record_properties_requestId","record_properties_resourceDisplayName","record_properties_resourceId","record_properties_resourceTenantId","record_properties_homeTenantId","record_properties_tenantId","record_properties_resourceOwnerTenantId","record_properties_resourceServicePrincipalId" with "event.idm.read_only_udm.target.resource.attribute.labels" UDM field by replacing the value of "record.properties.__UDI_RequiredFields_TenantId" with "record_properties_UDI_RequiredFields_TenantId", "record.properties.__UDI_RequiredFields_UniqueId" with "record_properties_UDI_RequiredFields_UniqueId", "record.properties.__UDI_RequiredFields_EventTime" with "record_properties_UDI_RequiredFields_EventTime", "record.properties.operationId" with "record_properties_operationId", "record.properties.requestId" with "record_properties_requestId", "record.properties.resourceDisplayName" with "record_properties_resourceDisplayName", "record.properties.resourceId" with "record_properties_resourceId", "record.properties.resourceTenantId" with "record_properties_resourceTenantId", "record.properties.homeTenantId" with "record_properties_homeTenantId", "record.properties.tenantId" with "record_properties_tenantId", "record.properties.resourceOwnerTenantId" with "record_properties_resourceOwnerTenantId", "record.properties.resourceServicePrincipalId" with "record_properties_resourceServicePrincipalId". - event.idm.read_only_udm.target.location.country_or_region: Newly mapped "record_properties_UDI_RequiredFields_RegionScope" with "event.idm.read_only_udm.target.location.country_or_region" UDM field by replacing the value of "record.properties.__UDI_RequiredFields_RegionScope" with "record_properties_UDI_RequiredFields_RegionScope". - event.idm.read_only_udm.principal.resource.attribute.labels: Newly mapped "record_properties_clientRequestId" with "event.idm.read_only_udm.principal.resource.attribute.labels" UDM field by replacing the value of "record.properties.clientRequestId" with "record_properties_clientRequestId". - event.idm.read_only_udm.security_result.detection_fields: Newly mapped "record_properties_apiVersion", "record_properties_agent_agentType" with "event.idm.read_only_udm.security_result.detection_fields" UDM field by replacing the value of "record.properties.apiVersion" with "record_properties_apiVersion" and "record.properties.agent.agentType" with "record_properties_agent_agentType". - event.idm.read_only_udm.network.http.method: Newly mapped "record_properties_requestMethod" with "event.idm.read_only_udm.network.http.method" UDM field by replacing the value of "record.properties.requestMethod" with "record_properties_requestMethod". - event.idm.read_only_udm.network.http.response_code: Newly mapped "record_properties_responseStatusCode" with "event.idm.read_only_udm.network.http.response_code" UDM field by replacing the value of "record.properties.responseStatusCode" with "record_properties_responseStatusCode". - event.idm.read_only_udm.network.received_bytes: Newly mapped "record_properties_responseSizeBytes" with "event.idm.read_only_udm.network.received_bytes" UDM field by replacing the value of "record.properties.responseSizeBytes" with "record_properties_responseSizeBytes". - event.idm.read_only_udm.additional.fields: Newly mapped "record_properties_signInActivityId", "record_properties_clientAuthMethod", "record_properties_wids", "record_properties_C_Idtyp", "record_properties_C_Iat", "record_properties_atContentP", "record_properties_atContentH", "record_properties_C_Sid", "record_properties_C_DeviceId", "record_properties_servicePrincipalId","record_properties_tokenIssuedAt","record_properties_conditionalAccessStatus","record_properties_originalRequestId","record_properties_tokenIssuerType","record_properties_riskDetail" ,"record_properties_clientCredentialType","record_properties_riskLevelAggregated","record_properties_riskLevelDuringSignIn","record_properties_riskState","record_properties_authenticationRequirement","record_properties_userType","record_properties_uniqueTokenIdentifier" with "event.idm.read_only_udm.additional.fields" UDM field by replacing the value of "record.properties.signInActivityId" with "record_properties_signInActivityId", "record.properties.clientAuthMethod" with "record_properties_clientAuthMethod", "record.properties.wids" with "record_properties_wids", "record.properties.C_Idtyp" with "record_properties_C_Idtyp", "record.properties.C_Iat" with "record_properties_C_Iat", "record.properties.atContentP" with "record_properties_atContentP", "record.properties.atContentH" with "record_properties_atContentH", "record.properties.C_Sid" with "record_properties_C_Sid", "record.properties.C_DeviceId" with "record_properties_C_DeviceId", "record.properties.servicePrincipalId" with "record_properties_servicePrincipalId", "record.properties.tokenIssuedAt" with "record_properties_tokenIssuedAt", "record.properties.conditionalAccessStatus" with "record_properties_conditionalAccessStatus", "record.properties.originalRequestId" with "record_properties_originalRequestId", "record.properties.tokenIssuerType" with "record_properties_tokenIssuerType", "record.properties.riskDetail" with "record_properties_riskDetail", "record.properties.clientCredentialType" with "record_properties_clientCredentialType", "record.properties.riskLevelAggregated" with "record_properties_riskLevelAggregated", "record.properties.riskLevelDuringSignIn" with "record_properties_riskLevelDuringSignIn", "record.properties.riskState" with "record_properties_riskState", "record.properties.authenticationRequirement" with "record_properties_authenticationRequirement", "record.properties.userType" with "record_properties_userType", "record.properties.uniqueTokenIdentifier" with "record_properties_uniqueTokenIdentifier". - event.idm.read_only_udm.target.user.role_name: Newly mapped "record_properties_roles" with "event.idm.read_only_udm.target.user.role_name" UDM field by replacing the value of "record.properties.roles" with "record_properties_roles". - event.idm.read_only_udm.principal.resource.product_object_id: Newly mapped "record_properties_UserPrincipalObjectID" with "event.idm.read_only_udm.principal.resource.product_object_id" UDM field by replacing the value of "record.properties.UserPrincipalObjectID" with "record_properties_UserPrincipalObjectID". - event.idm.read_only_udm.target.url: Newly mapped "record_properties_identityProvider" with "event.idm.read_only_udm.target.url" UDM field by replacing the value of "record.properties.identityProvider" with "record_properties_identityProvider". - event.idm.read_only_udm.network.http.referral_url: Newly mapped "record_properties_requestUri" with "event.idm.read_only_udm.network.http.referral_url" UDM field by replacing the value of "record.properties.requestUri" with "record_properties_requestUri". - event.idm.read_only_udm.principal.platform_version: Newly mapped "record_properties_deviceDetail_operatingSystem" with "event.idm.read_only_udm.principal.platform_version" UDM field by replacing the value of "record.properties.deviceDetail.operatingSystem" with "record_properties_deviceDetail_operatingSystem". - event.idm.read_only_udm.principal.platform: Set to "WINDOWS", "MAC", or "LINUX" based on value in "record_properties_deviceDetail_operatingSystem". - event.idm.read_only_udm.principal.user.user_display_name: Newly mapped "record_properties_deviceDetail_displayName" with "event.idm.read_only_udm.principal.user.user_display_name" UDM field by replacing the value of "record.properties.deviceDetail.displayName" with "record_properties_deviceDetail_displayName". - event.idm.read_only_udm.principal.asset.asset_id,event.idm.read_only_udm.principal.asset_id: Newly mapped "record_properties_deviceDetail_deviceId" with "event.idm.read_only_udm.principal.asset.asset_id" ,"event.idm.read_only_udm.principal.asset_id" UDM field by replacing the value of "record.properties.deviceDetail.deviceId" with "record_properties_deviceDetail_deviceId". - event.idm.read_only_udm.principal.location.country_or_region: Newly mapped "record_properties_location_countryOrRegion" with "event.idm.read_only_udm.principal.location.country_or_region" UDM field by replacing the value of "record.properties.location.countryOrRegion" with "record_properties_location_countryOrRegion". - event.idm.read_only_udm.principal.location.city: Newly mapped "record_properties_location_city" with "event.idm.read_only_udm.principal.location.city" UDM field by replacing the value of "record.properties.location.city" with "record_properties_location_city". - event.idm.read_only_udm.principal.location.state: Newly mapped "record_properties_location_state" with "event.idm.read_only_udm.principal.location.state" UDM field by replacing the value of "record.properties.location.state" with "record_properties_location_state". - event.idm.read_only_udm.principal.location.region_coordinates.latitude: Newly mapped "record_properties_location_geoCoordinates_latitude" with "event.idm.read_only_udm.principal.location.region_coordinates.latitude" UDM field by replacing the value of "record.properties.location.geoCoordinates.latitude" with "record_properties_location_geoCoordinates_latitude". - event.idm.read_only_udm.principal.location.region_coordinates.longitude: Newly mapped "record_properties_location_geoCoordinates_longitude" with "event.idm.read_only_udm.principal.location.region_coordinates.longitude" UDM field by replacing the value of "record.properties.location.geoCoordinates.longitude" with "record_properties_location_geoCoordinates_longitude". - "event.idm.read_only_udm.security_result.detection_fields": Newly Mapped "record.properties.authenticationProcessingDetails" to "event.idm.read_only_udm.security_result.detection_fields" UDM field by replacing the value of "record.properties.authenticationProcessingDetails" with "record_properties_authenticationProcessingDetails". - event.idm.read_only_udm.network.session_id: Newly mapped "record_properties_sessionId" with "event.idm.read_only_udm.network.session_id" UDM field by replacing the value of "record.properties.sessionId" with "record_properties_sessionId". - Merged "security_result" with "event.idm.read_only_udm.security_result". - Rename "event.idm.read_only_udm.additional" to "additional". - Set the "event.idm.read_only_udm.metadata.event_type" to "STATUS_UPDATE" if "has_principal" is "true" else map it to "GENERIC_EVENT". - Replaced the value of"record.AADTenantId" in "record_AADTenantId" and added a conditional check before already existing mapping for "record_AADTenantId" to "event.idm.read_only_udm.additional.fields". - Replaced the value of "record.AlternateSignInName" in "record_AlternateSignInName" and added a conditional check before already existing mapping for "record_AlternateSignInName" to "event.idm.read_only_udm.target.user.userid". - Replaced the value of "record.AppDisplayName" in "record_AppDisplayName" and added a conditional check before already existing mapping for "record_AppDisplayName" to "event.idm.read_only_udm.target.application". - Replaced the value of "record.AppId" in "record_AppId" and added a conditional check before already existing mapping for "record_AppId" to "event.idm.read_only_udm.target.asset.asset_id". - Replaced the value of "record.AuthenticationProcessingDetails" in "record_AuthenticationProcessingDetails" and added a conditional check before already existing mapping for "record_AuthenticationProcessingDetails" to "event.idm.read_only_udm.security_result.detection_fields". - Replaced the value of "record.AuthenticationDetails" in "record_AuthenticationDetails" and added a conditional check before already existing mapping for "record_AuthenticationDetails" to "event.idm.read_only_udm.security_result.detection_fields". - Replaced the value of "record.AuthenticationProtocol" in "record_AuthenticationProtocol" and added a conditional check before already existing mapping for "record_AuthenticationProtocol" to "event.idm.read_only_udm.security_result.detection_fields". - Replaced the value of "record.AuthenticationRequirement" in "record_AuthenticationRequirement" and added a conditional check before already existing mapping for "record_AuthenticationRequirement" to "event.idm.read_only_udm.security_result.detection_fields". - Replaced the value of "record.AutonomousSystemNumber" in "record_AutonomousSystemNumber" and added a conditional check before already existing mapping for "record_AutonomousSystemNumber" to "event.idm.read_only_udm.additional.fields". - Replaced the value of "record.AuthenticationProtocol" in "record_AuthenticationProtocol" and added a conditional check before already existing mapping for "record_AuthenticationProtocol" to "event.idm.read_only_udm.security_result.detection_fields". - Replaced the value of "record.Category" in "record_Category" and added a conditional check before already existing mapping for "record_Category" to "event.idm.read_only_udm.security_result.category_details". - Replaced the value of "record.ClientAppUsed" in "record_ClientAppUsed" and added a conditional check before already existing mapping for "record_ClientAppUsed" to "event.idm.read_only_udm.principal.application". - Replaced the value of "record.ConditionalAccessStatus" in "record_ConditionalAccessStatus" and added a conditional check before already existing mapping for "record_ConditionalAccessStatus" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.CorrelationId" in "record_CorrelationId" and added a conditional check before already existing mapping for "record_CorrelationId" to "event.idm.read_only_udm.metadata.product_log_id". - Replaced the value of "record.HomeTenantId" in "record_HomeTenantId" and added a conditional check before already existing mapping for "record_HomeTenantId" to "event.idm.read_only_udm.additional.fields". - Replaced the value of "record.Id" in "record_Id" and added a conditional check before already existing mapping for "record_Id" to "event.idm.read_only_udm.metadata.product_log_id". - Replaced the value of "record.CreatedDateTime" in "record_CreatedDateTime" and added a conditional check before already existing mapping for "record_CreatedDateTime" to "event.idm.read_only_udm.metadata.event_timestamp". - Replaced the value of "record.Identity" in "record_Identity" and added a conditional check before already existing mapping for "record_Identity" to "event.idm.read_only_udm.target.user.user_display_name". - Replaced the value of "record.IPAddress" in "record_IPAddress" and added a conditional check before already existing mapping for "record_IPAddress" to "event.idm.read_only_udm.principal.ip" and "event.idm.read_only_udm.principal.asset.ip". - Replaced the value of "record.Level" into string in "record_Level" and added a conditional check before already existing mapping for "record_Level" to "Level". - Replaced the value of "record.LocationDetails.city" in "record_LocationDetails_city" and added a conditional check before already existing mapping for "record_LocationDetails_city" to "properties.location.city". - Replaced the value of "record.LocationDetails.state" in "record_LocationDetails_state" and added a conditional check before already existing mapping for "record_LocationDetails_state" to "properties.location.state". - Replaced the value of "record.LocationDetails.countryOrRegion" in "record_LocationDetails_countryOrRegion" and added a conditional check before already existing mapping for "record_LocationDetails_countryOrRegion" to "properties.location.countryOrRegion". - Replaced the value of "record.LocationDetails.geoCoordinates.latitude" in "record_LocationDetails_geoCoordinates_latitude" and added a conditional check before already existing mapping to "event.idm.read_only_udm.principal.location.region_coordinates.latitude". - Replaced the value of "record.LocationDetails.geoCoordinates.longitude" in "record_LocationDetails_geoCoordinates_longitude" and added a conditional check before already existing mapping for "record_LocationDetails_geoCoordinates_longitude" to "event.idm.read_only_udm.principal.location.region_coordinates.longitude". - Replaced the value of "record.OperationName" in "record_OperationName" and added a conditional check before already existing mapping for "record_OperationName" to "event.idm.read_only_udm.metadata.product_event_type". - Replaced the value of "record.OperationVersion" in "record_OperationVersion" and added a conditional check before already existing mapping for "record_OperationVersion" to "operationVersion". - Replaced the value of "record.ResultSignature" in "record_ResultSignature" and added a conditional check before already existing mapping for "record_ResultSignature" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.RiskDetail" in "record_RiskDetail" and added a conditional check before already existing mapping for "record_RiskDetail" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.RiskEventTypes" in "record_RiskEventTypes" and added a conditional check before already existing mapping for "record_RiskEventTypes" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.RiskLevelAggregated" in "record_RiskLevelAggregated" and added a conditional check before already existing mapping for "record_RiskLevelAggregated" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.RiskState" in "record_RiskState" and added a conditional check before already existing mapping for "record_RiskState" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.SourceSystem" in "record_SourceSystem" and added a conditional check before already existing mapping for "record_SourceSystem" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.SignInIdentifier" in "record_SignInIdentifier" and added a conditional check before already existing mapping for "record_SignInIdentifier" to "event.idm.read_only_udm.principal.user.userid". - Replaced the value of "record.TenantId" in "record_TenantId" and added a conditional check before already existing mapping for "record_TenantId" to "tenantId". - Replaced the value of "record.TokenIssuerType" in "record_TokenIssuerType" and added a conditional check before already existing mapping for "record_TokenIssuerType" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.UniqueTokenIdentifier" in "record_UniqueTokenIdentifier" and added a conditional check before already existing mapping for "record_UniqueTokenIdentifier" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.UserAgent" in "record_UserAgent" and added a conditional check before already existing mapping for "record_UserAgent" to "event.idm.read_only_udm.network.http.user_agent" and parsed into "event.idm.read_only_udm.network.http.parsed_user_agent". - Replaced the value of "record.UserDisplayName" in "record_UserDisplayName" and added a conditional check before already existing mapping for "record_UserDisplayName" to "event.idm.read_only_udm.principal.user.user_display_name". - Replaced the value of "record.UserId" in "record_UserId" and added a conditional check before already existing mapping for "record_UserId" to "event.idm.read_only_udm.principal.user.userid". - Replaced the value of "record.UserPrincipalName" in "record_UserPrincipalName" and added a conditional check before already existing mapping for "record_UserPrincipalName" to "event.idm.read_only_udm.principal.user.email_addresses". - Replaced the value of "record.UserType" in "record_UserType" and added a conditional check before already existing mapping for "record_UserType" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record._Internal_WorkspaceResourceId" in "record__Internal_WorkspaceResourceId" and added a conditional check before already existing mapping for "record__Internal_WorkspaceResourceId" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record._ItemId" in "record__ItemId" and added a conditional check before already existing mapping for "record__ItemId" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.Resource" in "record_Resource" and added a conditional check before already existing mapping for "record_Resource" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.ResourceDisplayName" in "record_ResourceDisplayName" and added a conditional check before already existing mapping for "record_ResourceDisplayName" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.ResourceId" in "record_ResourceId" and added a conditional check before already existing mapping for "record_ResourceId" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.ResourceIdentity" in "record_ResourceIdentity" and added a conditional check before already existing mapping for "record_ResourceIdentity" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.ResourceServicePrincipalId" in "record_ResourceServicePrincipalId" and added a conditional check before already existing mapping for "record_ResourceServicePrincipalId" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.ResourceTenantId" in "record_ResourceTenantId" and added a conditional check before already existing mapping for "record_ResourceTenantId" to "event.idm.read_only_udm.target.resource.attribute.labels". - Replaced the value of "record.ResourceGroup" in "record_ResourceGroup" and added a conditional check before already existing mapping for "record_ResourceGroup" to "event.idm.read_only_udm.target.resource.attribute.labels". -Added a grok pattern for "UserId" field to extract "first_user_id". - event.idm.read_only_udm.principal.user.userid: Newly mapped "first_user_id" with "event.idm.read_only_udm.principal.user.userid" UDM field. - Placed the already existing mapping of "NETWORK_CONNECTION" event type above the mapping of "USER_UNCATEGORIZED" event type. |
| 2025-06-10 | Enhancement:
- event.idm.read_only_udm.principal.location.country_or_region: Newly mapped `properties.location` raw log field with `event.idm.read_only_udm.principal.location.country_or_region` UDM field. - Removed the redundant code block. |
| 2025-05-06 | Enhancement:
- `event.idm.ready_only_udm.security_result.description`: Newly mapped `policy.result` raw log field with `event.idm.ready_only_udm.security_result.description` UDM field. - `event.idm.read_only_udm.security_result.rule_name`: Removed mapping of `apc.displayName` from `event.idm.read_only_udm.security_result.rule_name` UDM field and mapped `policy.displayName` instead - `event.idm.read_only_udm.security_result.rule_id`: Removed mapping of `apc.id` from `event.idm.read_only_udm.security_result.rule_id` UDM field and mapped `policy.id` instead - `event.idm.read_only_udm.security_result.rule_labels`: Removed mapping of `apc.Result` from `event.idm.read_only_udm.security_result.rule_labels` UDM field and mapped `policy.Result` instead - `event.idm.ready_only_udm.about.user.user_display_name`: Removed mapping of `policy.displayName` from `event.idm.ready_only_udm.about.user.user_display_name` UDM field. - `event.idm.ready_only_udm.about.user.userid`: Removed mapping of `policy.id` from `event.idm.ready_only_udm.about.user.userid` UDM field. - `event.idm.read_only_udm.about.labels`: Removed mapping of `policy.result` from `event.idm.read_only_udm.about.labels` UDM field. |
| 2025-04-22 | Enhancement:
- 'event.idm.read_only_udm.target.user.userid' : Newly mapped 'properties.servicePrincipalName' raw log field with 'event.idm.read_only_udm.target.user.userid'. - 'event.idm.read_only_udm.target.user.product_object_id' : Newly mapped 'properties.servicePrincipalId' raw log field with 'event.idm.read_only_udm.target.user.product_object_id'. - 'event.idm.read_only_udm.additional.fields' : Newly mapped 'properties.riskLevelAggregated' and 'properties.riskLevelDuringSignIn' raw log field with 'event.idm.read_only_udm.additional.fields'. - Added a null check condition before mapping 'properties.authenticationProcessingDetails' to 'event.idm.read_only_udm.additional.fields'. |
| 2025-03-18 | Enhancement:
- Mapped "record.AuthenticationProtocol" to "security_result.detection_fields". - Mapped "properties.authenticationProtocol" to "security_result.detection_fields". - Mapped "authenticationProtocol" to "security_result.detection_fields". - Mapped "properties.sessionId" to "network.session_id". - Mapped "properties.uniqueTokenIdentifier" to "additional.fields". - Mapped "properties.appServicePrincipalId" to "additional.fields". - Mapped "properties.autonomousSystemNumber" to "additional.fields". - Mapped "properties.resourceOwnerTenantId" to "additional.field". |
| 2025-02-27 | Enhancement:
- Mapped "operationName" to "additional.fields". - Mapped "displayName" to "principal.hostname". - When "has_target_user" is "true" and "has_principal_user" is "true", then mapped "metadata.event_type" to "USER_CHANGE_PERMISSIONS". |
| 2025-02-13 | Enhancement:
- Mapped "ActorIpAddress" to "principal.ip" and "principal.asset.ip". - Mapped "ClientIP" to "target.ip" and "target.asset.ip". - Mapped "ApplicationId", "ActorContextId", "InterSystemsId", and "IntraSystemId" to "security_result.detection_fields". - Mapped "ObjectId" to "principal.resource.product_object_id". - Mapped "Operation" to "metadata.product_event_type". - Mapped "OrganizationId" to "principal.resource.id". - Mapped "RecordType", "SupportTicketId", and "TargetContextId" to "security_result.detection_fields". - Mapped "targets.ID" and "targets.Type" to "target.resource.attribute.labels". - Mapped "UserId" to "principal.user.userid". - Mapped "ResultStatus", "ErrorNumber", and "Workload" to "additional.fields". - Mapped "Version" to "metadata.product_version". - Mapped "UserKey" and "UserType" to "principal.user.attribute.labels" - Mapped "DeviceProperties.ID" to "principal.asset_id". - Mapped "DeviceProperties.DisplayName" to "principal.user.user_display_name". - Mapped "DeviceProperties.SessionId" to "network.session_id". - Mapped "extendedproperty.UserAgent" to "network.http.user_agent" and "network.http.parsed_user_agent". - Mapped "Actor.ID" and "Actor.Type" to "principal.resource.attribute.labels". - Mapped "AssociatedAdminUnits" to "security_result.detection_fields". - Mapped "AzureActiveDirectoryEventType" to "security_result.summary". - Mapped "CreationTime" to "metadata.event_timestamp". |
| 2025-01-11 | Enhancement:
- Moved "security_result.summary", "security_result.severity", "security_result.rule_id", "security_result.action", and "security_result.category" out of conditional check. |
| 2024-12-05 | Enhancement:
- Added support for new format of JSON logs. |
| 2024-10-07 | Enhancement:
- Mapped "properties.userPrincipalName" to "target.user.userid". |
| 2024-09-04 | Enhancement:
- Removed mapping of "correlationId" from "network.session_id". |
| 2024-08-22 | Enhancement:
- When "displayName" is "iphone", then mapped to "principal.resource.attribute.labels". |
| 2024-07-05 | Enhancement:
- Mapped "isInteractive" to "security_result.detection_fields". |
| 2024-06-03 | - Changed mapping of "policies.displayName" from "about.user.user_display_name" to "security_result.rule_name".
- Changed mapping of "policies.id" from "about.user.userid" to "security_result.rule_id". - Changed mapping of "policies.result" from "about.labels" to "security_result.detection_fields". |
| 2024-05-29 | Enhancement:
- When "status.errorCode" is "0", then set "security_result.action" to "ALLOW". |
| 2024-05-13 | Bug-Fix:
- Mapped "userPrincipalName" to "target.user.userid". |
| 2024-05-10 | Enhancement:
- Mapped "networkLocationDetails.n.networkNames", "properties.networkLocationDetails.n.networkNames", "networkLocationDetails.n.networkType" and "properties.networkLocationDetails.n.networkType" to "additional.fields". - Mapped "properties.userAgent" and "userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent". |
| 2024-05-03 | Bug-Fix:
- Added "on_error" check before mapping "target.modifiedProperties.n.newValue". - Mapped "target.modifiedProperties.n.oldValue" and "target.modifiedProperties.n.displayName" to "target.resource.attribute.labels". - Mapped "activityDisplayName" to "security_result.summary". |
| 2024-04-30 | Enhancement:
- Mapped "properties.authenticationDetails", "properties.networkLocationDetails", "properties.authenticationRequirementPolicies", "networkLocationDetails" and "authenticationRequirementPolicies" to "security_result.detection_fields". |
| 2024-04-02 | Enhancement:
- Mapped "authenticationRequirement" to "additional.fields". |
| 2024-04-02 | Enhancement:
- Mapped "authenticationRequirement" to "additional.fields". |
| 2024-04-02 | Enhancement:
- Mapped "authenticationRequirement" to "additional.fields". |
| 2024-02-26 | Enhancement:
- Mapped "appliedConditionalAccessPolicies" to "security_result". - Mapped "isInteractive" to "extensions.auth.mechanism". - Mapped "location.geoCoordinates.altitude" to "additional.fields". |
| 2024-02-09 | Enhancement:
- Mapped "authenticationDetails.authenticationMethod", "authenticationDetails.authenticationMethodDetail", "authenticationDetails.authenticationStepResultDetail", "authenticationDetails.authenticationStepDateTime", and "authenticationDetails.authenticationStepRequirement" to "security_result.detection_fields". - Mapped "authenticationDetails.succeeded" to "security_result.action". - Mapped "status.additionalDetails" to "security_result.description". |
| 2024-01-11 | Enhancement:
- Mapped "correlationId" to "security_result.detection_fields". |
| 2023-11-20 | Enhancement:
- Mapped "tenantId" to "metadata.product_deployment_id". - Mapped "Level" to "security_result.severity_details" and "security_result.severity". - Mapped "properties.userDisplayName" to "target.user.user_display_name". - Mapped "identity" to "target.user.user_display_name". - Mapped "properties.activityDateTime" to "metadata.event_timestamp". - Mapped "properties.activity" to "security_result.summary". - Mapped "resultSignature", "properties.riskLevel", "properties.isGuest", "properties.isDeleted", "properties.isProcessing", "properties.riskLastUpdatedDateTime", "properties.riskType", "properties.riskEventType", "properties.riskState", "properties.riskDetail", "properties.source", "properties.detectionTimingType" "properties.detectedDateTime", "properties.lastUpdatedDateTime", "properties.tokenIssuerType", "properties.homeTenantId", "properties.userType", "properties.crossTenantAccessType", "durationMs" to "additional.fields". - Mapped "resourceId" to "target.resource.product_object_id". - Mapped "properties.location.geoCoordinates.longitude" and "location.geoCoordinates.longitude" to "principal.location.region_coordinates.longitude". - Mapped "properties.location.geoCoordinates.latitude" and "location.geoCoordinates.latitude" to "principal.location.region_coordinates.latitude". |
| 2023-07-12 | Enhancement:
- Mapped "deviceDetail.isCompliant", "deviceDetail.isManaged", "deviceDetail.trustType" to "principal.asset.attribute.labels". - Mapped "deviceDetail.deviceId" to "principal.asset.asset_id". - Mapped "deviceDetail.browser" to "network.http.user_agent". - Mapped "deviceDetail.operatingSystem" to "principal.platform_version". - Mapped "status.failureReason" to "additional.fields". - Mapped "status.errorCode" to "security_result.rule_id". - Mapped "deviceDetail.displayName" to "principal.asset.hardware". |
| 2023-03-14 | Enhancement:
- Mapped "browser" to "principal.resource.attribute.labels". - Mapped "isCompliant", "isManaged", "trustType", to "principal.asset.attribute.labels". - Mapped "domain" form "userPrincipalName" to "principal.administrative_domain". |
| 2022-12-16 | Enhancement:
- Added conditional check for the field 'initiatedBy.user.userPrincipalName' and mapped to 'principal.user.email_addresses'. |
| 2022-10-28 | Enhancement:
- Mapped "additionalDetails.0.value" to "network.http.user_agent". - Mapped "additionalDetails.1.value" to "target.resource.attribute.labels". - Mapped "Id" to "metadata.product_log_id". - Mapped "initiatedBy.user.id" to "principal.user.userid". - Mapped "initiatedBy.user.displayName" to "principal.user.user_display_name". - Mapped "initiatedBy.user.ipAddress" to "principal.ip". - Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses". - Mapped "operationType" to "security_result.action_details". - Mapped "target.displayName" to "target.resource.name". - Mapped "target.id" to "target.resource.id". - Mapped "target.type" to "target.resource.type". - Mapped "field.newValue" to "target.resource.product_object_id" if field.displayName is "AppRole.Id" else mapped "field.newValue" to "target.resource.attribute.labels". - Added check for errorCode. - Mapped "loggedByService" to "target.application". - Mapped "activityDisplayName" to "metadata.product_event_type". - Mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS" where "activityDisplayName" is "Add app role assignment to service principal". |
| 2022-08-25 | Enhancement:
- If "properties.initiatedBy.user.userPrincipalName" matches "email regex pattern" then mapped to "principal.user.email_addresses" else mapped to "principal.user.userid". - If "properties.userPrincipalName" or "userPrincipalName" matches "email regex pattern" then mapped to "target.user.email_addresses" else mapped to "target.user.userid". |
| 2022-08-11 | Enhancement:
- Removed drop tag "TAG_MALFORMED_ENCODING". - Added "event_type" "GENERIC_EVENT". |
| 2022-05-29 | Enhancement - Modified the for loop for the field 'riskEventTypes_v2' mapped to 'additional.fields'.
Mapped the field 'level' to 'security_result.severity_details'. Mapped the field 'properties.result' to 'security_result.action_details'. |
| 2022-04-20 | Bug-fix - Parsed the logs with event "appDisplayName": "NotApplicable".
- Modified the for loop for the field 'riskEventTypes'. |